Instructors: Corentin Bayet and Bruno Pujos
Dates: June 23 to 26 2025
Capacity: 15
Hypervisors are complex software that play a critical role in modern infrastructure, but like any
software, they-re not immune to flaws which can be exploited by sophisticated attackers. This training
dives into the technical depths of virtualization technologies and explores the flaws leading to virtual
machine (VM) escapes. During this training, you will be able to sharpen your skills on multiple
platforms from the initial analysis of a target to exploiting real world vulnerabilities.
The course explores the attack surfaces hypervisors expose to their guests, both statically and
dynamically. By breaking down how virtual machines communicate with hypervisors and their internal
components, participants will learn to apply their existing vulnerability research and exploitation
skills to any virtualization software. The training also provides detailed insights for each studied
target, including their architectures, typical vulnerabilities, and guidance for effective bug hunting.
This course is ideal for security researchers and vulnerability analysts who are already familiar with
low-level systems programming and common exploitation techniques but are new to hypervisor internals. By
the end of the training, participants will have a solid foundation in virtualization attack surfaces and
vulnerability research as well as the ability to craft proof-of-concept exploits targeting hypervisors.
Main foundational concepts of hypervisors and their role in virtualization will be introduced:
Students will learn how virtual machines communicate with hypervisors and how to replicate these interactions for bug hunting:
Participants will learn to effectively navigate both open-source and proprietary hypervisor codebases:
Trainers will outline a structured approach to identifying and exploiting vulnerabilities in hypervisors:
Assignments are divided into several steps and integrated throughout each day of training. Each day focuses on a different hypervisor to demonstrate the concepts covered. For each target, students will have the opportunity to analyze and exploit at least one real-world n-day vulnerability that impacted the hypervisor.
In this assignment, participants will explore the details of QEMU's device emulation to uncover potential
vulnerabilities. The focus is on understanding and interacting with the hypervisor's behavior through
the guest system and analyzing how I/O operations are managed.
Along the day, participants will explore common communication patterns and device interactions, and
develop the skills needed to pinpoint their first vulnerabilities in a crafted emulated device.
In the final stage of this assignment, students will extend their knowledge to identify and trigger a
real-world vulnerability that affected a previous version of QEMU.
This assignment introduces VirtualBox as a target for exploitation. Participants will explore aspects of
VirtualBox's I/O handling and device emulation to identify vulnerabilities. Throughout the day,
participants will work with VirtualBox's codebase, learning how to systematically navigate and analyze
the architecture of an open-source hypervisor.
By applying learned methodologies, they will analyze memory mapping operations, locate potential bugs,
and develop a proof-of-concept exploit for a selected vulnerability. The focus is on understanding
typical bugs in hypervisors and how to approach them systematically.
In the first part of the assignment, participants will reverse engineer components of VMware's
closed-source hypervisors. They will map critical functions related to memory management and I/O
handling. The assignment aims to provide insights into finding vulnerabilities in a closed-source
environment, teaching participants to map code paths and identify areas prone to bugs or exploitation.
Students will receive pre-symbolized IDA databases to assist in navigating the code.
The last part of the assignment brings together all skills developed during the training. Participants
will analyze both VMware ESXi and Workstation to identify n-day vulnerabilities and attempt to develop
proof-of-concept exploits. This exercise involves understanding the architectural differences between
ESXi and Workstation, identifying attack surfaces, and crafting targeted exploits.
Corentin Bayet is the CTO of REverse Tactics and a seasoned security researcher with over 7 years of experience in vulnerability research and exploitation. His expertise lies in low-level technologies, including operating systems, kernels, and hypervisors. Corentin has publicly demonstrated multiple VM escapes at high-profile events like Pwn2Own (2020, 2024), showcasing his advanced skills in hypervisor security. He has also delivered impactful talks on bug hunting in virtualization at renowned conferences such as EkoParty 2020, GreHack 2023, and GreHack 2024.
Bruno Pujos is the CEO and founder of REverse Tactics, bringing over 10 years of experience as a security researcher specializing in low-level systems and virtualization technologies. He has publicly demonstrated his expertise by achieving multiple VM escapes and privilege escalations on Windows at Pwn2Own (2020, 2022, 2024). Bruno is also an experienced trainer, having delivered advanced courses on reverse-engineering and bug hunting, including sessions focused on firmware and UEFI BIOS reverse engineering.
Trainers contact: contact@reversetactics.com
Click here to register.