hideApril is World Autism Month and we want to bring awareness to the importance of inclusion in the classroom! 💡Learn with Amara.org how Captioning Can Empower Diverse Learners!
VMware ESXi is an enterprise-class, bare-metal hypervisor developed by VMware for deploying and serving virtual computers. As the hypervisor of VMware vSphere, which is the world's most prevailing, state-of-the-art private-cloud software, ESXi plays a core role in the enterprise's cloud infrastructure. Bugs in ESXi could violate the security boundary between guest and host, resulting in virtual machine escape. While a few previous attempts to escape virtual machines have targeted on VMware workstation, there has been no public VMware ESXi escape until our successful demonstration at GeekPwn 2018. This is mainly due to the sandbox mechanism that ESXi has adopted, using its customized filesystem and kernel. In this talk, we will share our study on those security enhancements in ESXi, and describe how we discover and chain multiple bugs to break out of the sandboxed guest machine.
During the presentation, we will first share the fundamentals of ESXi hypervisor and some of its special features, including its own customized bootloader, kernel, filesystem, virtual devices and so on. Next, we will demonstrate the attack surfaces in its current implementations and how to uncover security vulnerabilities related to virtual machine escape. In particular, we will anatomize the bugs leveraged in our escape chain, CVE-2018-6981 and CVE-2018-6982, and give an exhaustive delineation about some reliable techniques to manipulate the heap for exploitation, triggering arbitrary code execution in the host context. Meanwhile, due to the existence of sandbox mechanism in ESXi, code execution is not enough to pop a shell. Therefore, we will underline the design of the sandbox and explain how it is adopted to restrict permissions. We will also give an in-depth analysis of the approaches leveraged to circumvent the sandbox in our escape chain. Finally, we will provide a demonstration of a full chain escape on ESXi 6.7.
Our website uses cookies for analysis purposes.
You can refuse this if you wish. Privacy PolicyYou can refuse this if you wish.Privacy Policy
Our website uses cookies
We use third-party analytical softwares to gather statistical information about our website visitors.
Operating cookies(Required)
These cookies are required for Amara to work properly and cannot be switched off. They include session informations and preference settings. Amara doesn’t share this data with any third-party providers.
Analytics cookies
Amara is using GoogleAnalytics, Microsoft Clarity and Hubspot as analytic cookies. These cookies allow us to gather data about website visits, traffic sources and user journeys. We use this data to review and improve Amara for our users. You can block these cookies and then we will not be able to collect data during your visit.
Upload Subtitles
Embed Video
Use the following code to embed this video. See our usage guide for more details on embedding.
Paste this in your document somewhere (closest to the closing body tag is preferable):
