#HITB2023HKT

Asynchronous clock is used extensively in hypervisors, which is designed to avoid the blocking of the calling thread, thereby improving the responsiveness of the software. There are many devices using asynchronous clock to process their task in QEMU, such as Network,USB,Disk and Crypto device. However, we find that a attacker can leverage asynchronous clock to do some race condition attack, which can help to make a exploit.

In this talk, we demonstrate how to achieve a full guest-to-host escape exploitation just through a heap overflow write vulnerability.

We will show how to turn a malloc-use-free primitive to a malloc primitive and turn heap overflow write to arbitrary address write (AAW) by leveraging the asynchronous clock, which makes this hard-to-exploit vulnerability exploitable without the help of other devices in QEMU – this is a new attack approach which we call Timekiller. As far as we know, this is the first attack technique leveraging the asynchronous clock to finish a guest-to-host escape exploit.

This is the first public virtual machine escape exploit in the virtio-crypto device (full 0-day). Combining Timekiller and structures in virtio-crypto device, we can exploit most heap overflow write vulnerabilities in QEMU.

===

Yongkang Jia is a Master student at Zhejiang University, China, under the supervision of Chunming Wu. He is going to be a security reseacher at Singular Security Lab. He is a member of the AAA CTF Team. He also plays DEFCON CTF as a member of Katzebin. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in KVM、QEMU, which were confirmed and credited in multiple advisories.

---

Xiao Lei is a Master student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. He also plays DEFCON CTF as a member of Katzebin. His research focuses on System Security, especially Virtualization Security.

---

Yiming Tao received the B.S. degree in software engineering from University of Electronic Science and technology, Chengdu, China in 2022 and now a postgraduate in Cyberspace Security from Zhejiang University, Hang Zhou, China.

---

Gaoning Pan is a PhD student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. He also plays CTFs as a member of A*0*E. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in KVM、QEMU and Virtualbox, which were confirmed and credited in multiple advisories. He has published several papers in top-tier academic conferences, including ACM CCS, USENIX Security. His representative work V-Shuttle has won ACM CCS 2021’s best paper award. Also, he has nomination for 2022 most innovative research Pwnie Award.