Research On Key Technology Of Virtual Machine Escape Based On QEMU

Virtualization technology has been widely used in all aspects of society,including finance,manufacturing,government and scientific research,and has become an important part of the basic information infrastructure.Virtualization security is also an important issue in the field of information security.Virtual machine is the core of virtualization technology.With the security problems exposed in recent years,virtual machine escape attack has become one of the main threats to virtualization security.Research on escape attack of Vmware,Virtual Boxer,Xen and other virtualization software is more mature.With the wide application of KVM/QEMU,virtual machine escape attack based on KVM/QEMU has been more and more favored by attackers.This paper analyzes the whole framework of KVM/QEMU virtual machine,summarizes the security threats it may face,and analyzes the principle of virtual machine escape attack based on KVM/QEMU.The feasibility of escape attack is verified by two vulnerabilities.The paper`s innovation point as follows:Firstly,the key address information in the QEMU process is obtained by using the memory leak vulnerability.The memory leak of the QEMU virtual machine process is realized based on the code defect of the network card device simulated by QEMU,and the key address information such as the.text and.plt segment of QEMU process is obtained.This information provides the basis for calculating the various used function addresses when the virtual machine escapes later;Secondly,the instruction pointer register of QEMU virtual machine process is controlled by using heap overflow vulnerability.The address of key data structure is covered by heap overflow vulnerability,and then functions such as mprotect()are implemented based on CRC code reverse technology and code encapsulation technology.And most importantly,the shellcode is called;Thirdly,the shellcode communication mechanism based on shared memory is designed and implemented,which is based on the special environment between the virtual machine and the host computer,and the communication can be completed by the way of shared memory after the virtual machine escapes,so as to realize the control of the host in the virtual machine.Experiments show that the method designed in this paper can be implemented in a real test environment.In the host machine and virtual machine environment both composed of fedora20,by executing the code which is in the virtual environmental,the user can establish a shell environment to control the host.Above all,the research work in this paper has practical guidance significance for preventing virtual machine escape attacks and improving the overall security of virtual machines.