Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks

Gaoning Pan, Yiming Tao, Qinying Wang, Chunming Wu, Mingde Hu, Yizhi Ren, Shouling Ji

TL;DR

The paper identifies a new class of hypervisor exploits, Cross-Domain Attacks (CDA), which exploit weak host–guest isolation by redirecting corrupted host pointers into attacker-controlled guest memory. It provides a formal taxonomy of CDA variants, a prototype automation system for gadget identification, input synthesis, and exploit chaining, and a thorough evaluation across 15 real-world CVEs in QEMU and VirtualBox demonstrating broad applicability and practical overhead. The approach shifts the focus from host-structure exploitation to leveraging guest memory as a stable exploitation substrate, with implications for defense strategies such as memory access control and gadget minimization. The findings highlight a previously underexplored attack surface and motivate stronger isolation guarantees to prevent cross-domain pointer manipulation across virtualization platforms.

Abstract

Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation -- guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.

Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks

TL;DR

The paper identifies a new class of hypervisor exploits, Cross-Domain Attacks (CDA), which exploit weak host–guest isolation by redirecting corrupted host pointers into attacker-controlled guest memory. It provides a formal taxonomy of CDA variants, a prototype automation system for gadget identification, input synthesis, and exploit chaining, and a thorough evaluation across 15 real-world CVEs in QEMU and VirtualBox demonstrating broad applicability and practical overhead. The approach shifts the focus from host-structure exploitation to leveraging guest memory as a stable exploitation substrate, with implications for defense strategies such as memory access control and gadget minimization. The findings highlight a previously underexplored attack surface and motivate stronger isolation guarantees to prevent cross-domain pointer manipulation across virtualization platforms.

Abstract

Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation -- guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.

Paper Structure

This paper contains 38 sections, 15 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Workflow of Hypervisor Exploitation
  4. Guest Memory Management
  5. Exploiting Pointer Corruption Vulnerabilities
  6. Scope and Assumption
  7. Motivation and Our Exploitation
  8. A Running Example
  9. Our Exploitation
  10. Methodology
  11. Identifying Cross-Domain Gadgets
  12. Matching Paired Gadgets
  13. Synthesizing Gadget-triggering Inputs
  14. Assembling Exploit Chains
  15. Extensibility and Portability
  16. ...and 23 more sections

Figures (15)

  • Figure 1: Architecture of Type-2 Hypervisors.
  • Figure 2: Simplified illustration of the mistaken-free vulnerability in QEMU (CVE-2021-3682). An interior pointer data+i is passed downward and later freed, corrupting heap metadata.
  • Figure 3: CDA approach for exploiting pointer hijacking primitives.
  • Figure 4: Code example to show the workflow of CDA.
  • Figure 5: Exploiting the running example.
  • ...and 10 more figures