⚡️ 0-Day Insights, part 2 - research grade (hypervisor emulated devices & emulated USB exploitation):

High-level workflow of security patch analysis with reverse-engineering proprietary hypervisor code to reproduce the exploit - device emulation: https://zerodayengineering.com/research/vmware-esxi-vmxnet3-from-patch-to-poc.html

This specific workflow is actually included as a series of practical exercises in our Hypervisor Vulnerability Research training, from reverse engineering the security patch to prototyping the proof-of-concept, plus all the background theory: https://zerodayengineering.com/training/hypervisor-vulnerability-research.html

The same bug pattern was behind one of the USB emulated device exploits in the past - xHCI (Pwn2Own 2017). Which is a common sample of use-after-free bug in *HCI controllers.

⚡️0-Day Insights: Vmware Critical Security Advisory for ESXi, Workstation, Fusion hypervisors

1. Vmware just released security patches for four critical vulnerabilities that affect their entire core hypervisor stack: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255.

2. The bugs were publicly exploited at Tianfu Cup 2023 hacking contest, which is currently the Chinese (and really the only one, globally) competitor to Pwn2Own competitions.

3. Three out of four bugs were found in the code of emulated USB controllers: XHCI & UHCI. The nature of the fourth bug (CVE-2024-22254) is unclear, and it affects ESXi hypervisor only.

4. Regarding severity rating: they are just ordinary code execution bugs which allow (when chained together) a full VM escape. There is nothing special about these bugs. The only reason why Critical severity was assigned here is the publicly demonstrated exploit. In fact, dozens of bugs identical to these (though not necessarily in USB emulation) are being found and patched in hypervisors on a regular basis, with a humbler severity rating.

5. Vulnerabilities in USB emulated devices are actually quite common, although hard to fuzz. Many Pwn competitions in the past showed hypervisor exploits based on bugs in USB emulated devices.

6. All the different USB hardware technologies - OHCI, UHCI, eHCI, xHCI - are based on the same core system, while differing greatly in complexity. xHCI in particular is extremely complex. As hypervisors emulate hardware USB technologies, they implement the entire hardware specification abstraction in code. This is the reason why considerable numbers of security bugs were historically found in USB emulators.

7. In terms of hypervisor hardening, USB emulation code is one of the first candidates for elimination as attack surface reduction.

8. Most common classes of bugs in USB emulated devices are buffer overflows and use-after-free issues. Concrete examples: unchecked fields in USB data descriptors, dangling pointers due to poorly managed DMA mapping/unpapping operations, and generally lack of sanitization of guest-provided kernel device driver data.

9. Exploitation of emulated devices in hypervisors typically requires elevated privileges on the Virtual Machine, and the exploit would go through the guest OS kernel.

10. The distribution of affected products here hints upon the fraction of core hypervisor code which is shared in the vendor's base.

Reference: Vmware advisory, product versions and patching instructions: https://vmware.com/security/advisories/VMSA-2024-0006.html

VMware

VMSA-2024-0006.1

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)

Boston Cybernetics Institute posted live of day 2. Intro into embedded vr/re.

I am not sure that link will be preserved. Though, nothing super special there is happening, worth to catch of what and how lecturer gives to students.
They updated as well intro into rootkits for students.

https://www.youtube.com/live/w-pINNX2bLQ?si=HCeR9pFkN24XXHFQ

YouTube

BCI’s Embedded RE/VR Course

https://youtu.be/V8So3Dkn4m0?si=8O4TFWv7W2ldxiGj

YouTube

[CPP'24] Under-approximation for Scalable Bug Detection

[CPP'24] Under-approximation for Scalable Bug Detection Azalea Raad Under-Approximation for Scalable Bug Detection (Keynote) (Video, CPP 2024) Azalea Raad (Imperial College London, UK) Abstract: Incorrectness Logic (IL) has recently been advanced as a…

https://youtu.be/KrgAH9pwA4c?si=akBbwAdPwiCl-y53

YouTube

[PriSC'24] When Obfuscations Preserve Cryptographic Constant-Time

[PriSC'24] When Obfuscations Preserve Cryptographic Constant-Time Matteo Busi, Pierpaolo Degano, Letterio Galletta Obfuscating compilers are designed to protect a program by obscuring its meaning and impeding the reconstruction of its original source code.…

https://youtu.be/nt4rJke1tF8?si=O8dHVbu3NPS2VQFa

YouTube

[PriSC'24] Lifting Compiler Security Properties to Stronger Attackers: the Speculation Cas...

[PriSC'24] Lifting Compiler Security Properties to Stronger Attackers: the Speculation Case Xaver Fabian, Marco Guarnieri, Michael Backes Speculative execution avoids pipeline stalls by predicting intermediate results and by speculatively executing instructions…

https://youtu.be/oDFA18IXE8g?si=IsC-G_aRrhQC0U7c

YouTube

[PriSC'24] Secure Calling Conventions for CHERI Capability Machines in Practice (Work in P...

[PriSC'24] Secure Calling Conventions for CHERI Capability Machines in Practice (Work in Progress) Elias Storme, Sander Huyghebaert, Steven Keuchel, Thomas Van Strydonck, Dominique Devriese Recent work has demonstrated that CHERI-based capability machines…