Bug Hunting in Hypervisors

Instructors:    Corentin Bayet and Bruno Pujos
Dates:  June 23 to 26 2025
Capacity:   15

Hypervisors are complex software that play a critical role in modern infrastructure, but like any software, they-re not immune to flaws which can be exploited by sophisticated attackers. This training dives into the technical depths of virtualization technologies and explores the flaws leading to virtual machine (VM) escapes. During this training, you will be able to sharpen your skills on multiple platforms from the initial analysis of a target to exploiting real world vulnerabilities.

The course explores the attack surfaces hypervisors expose to their guests, both statically and dynamically. By breaking down how virtual machines communicate with hypervisors and their internal components, participants will learn to apply their existing vulnerability research and exploitation skills to any virtualization software. The training also provides detailed insights for each studied target, including their architectures, typical vulnerabilities, and guidance for effective bug hunting.

This course is ideal for security researchers and vulnerability analysts who are already familiar with low-level systems programming and common exploitation techniques but are new to hypervisor internals. By the end of the training, participants will have a solid foundation in virtualization attack surfaces and vulnerability research as well as the ability to craft proof-of-concept exploits targeting hypervisors.

KEY LEARNING OBJECTIVES

• Understanding hypervisor internals, components and architectures
• Tools and techniques to effectively perform bug hunting on virtualization softwares
• Methodology for navigating hypervisors code base, both open and closed source
• Analyze and practice with real-world vulnerabilities in QEMU/KVM, VirtualBox, VMware Workstation and ESXi

CLASS OUTLINE

1. Hypervisor basics:

Main foundational concepts of hypervisors and their role in virtualization will be introduced:

• The definition and purpose of a hypervisor.
• Core architecture and components.
• x86 hardware-assisted virtualization
• VT-x/AMD-V.
• EPT/SLAT.
• The necessity of device emulation and para-virtualization in providing hardware to the guest.

2. Interacting with the hypervisor

Students will learn how virtual machines communicate with hypervisors and how to replicate these interactions for bug hunting:

• Mechanisms for triggering guest-host interactions via MMIO, PMIO, and DMA.
• Using PCI/PCIe interfaces to communicate with specific emulated or para-virtualized devices
• Tools and techniques for scripting guest-hypervisor communications

3. Navigating and understanding the code base

Participants will learn to effectively navigate both open-source and proprietary hypervisor codebases:

• Exploration of the architectural layouts of QEMU/KVM, VirtualBox, VMware Workstation, and ESXi.
• Techniques for pinpointing areas of interest, such as memory mapping functions, device initialization, and handlers.
• Leveraging reverse engineering tools and methods to analyze complex, closed-source code.
• Reviewing strategies for locating documentation and resources to help symbolize closed-source code and understand internals.

4. Bug Hunting

Trainers will outline a structured approach to identifying and exploiting vulnerabilities in hypervisors:

• Identifying common attack surfaces.
• Recognizing bug types specific to virtualization.
• Tools and strategies for debugging hypervisors.
• Exploring fuzzing challenges and possible solutions.
• Rediscovering and exploiting n-day vulnerabilities as practical training for real-world bug hunting.

Assignments

Assignments are divided into several steps and integrated throughout each day of training. Each day focuses on a different hypervisor to demonstrate the concepts covered. For each target, students will have the opportunity to analyze and exploit at least one real-world n-day vulnerability that impacted the hypervisor.

Explore Device Emulation on QEMU/KVM

In this assignment, participants will explore the details of QEMU's device emulation to uncover potential vulnerabilities. The focus is on understanding and interacting with the hypervisor's behavior through the guest system and analyzing how I/O operations are managed.

Along the day, participants will explore common communication patterns and device interactions, and develop the skills needed to pinpoint their first vulnerabilities in a crafted emulated device.

In the final stage of this assignment, students will extend their knowledge to identify and trigger a real-world vulnerability that affected a previous version of QEMU.

VirtualBox Code Navigation and Exploit Development

This assignment introduces VirtualBox as a target for exploitation. Participants will explore aspects of VirtualBox's I/O handling and device emulation to identify vulnerabilities. Throughout the day, participants will work with VirtualBox's codebase, learning how to systematically navigate and analyze the architecture of an open-source hypervisor.

By applying learned methodologies, they will analyze memory mapping operations, locate potential bugs, and develop a proof-of-concept exploit for a selected vulnerability. The focus is on understanding typical bugs in hypervisors and how to approach them systematically.

Reverse & Bug Hunting in VMware

In the first part of the assignment, participants will reverse engineer components of VMware's closed-source hypervisors. They will map critical functions related to memory management and I/O handling. The assignment aims to provide insights into finding vulnerabilities in a closed-source environment, teaching participants to map code paths and identify areas prone to bugs or exploitation. Students will receive pre-symbolized IDA databases to assist in navigating the code.

The last part of the assignment brings together all skills developed during the training. Participants will analyze both VMware ESXi and Workstation to identify n-day vulnerabilities and attempt to develop proof-of-concept exploits. This exercise involves understanding the architectural differences between ESXi and Workstation, identifying attack surfaces, and crafting targeted exploits.

Prerequisites

• Basic programming skills in C and Python
• Familiarity with low-level computer behavior:
• Userland vs Kernel execution
• Basic x86 processor architecture
• Knowledge of reverse-engineering concepts and techniques
• Understanding and experience of common C vulnerabilities and exploitation techniques:
• Buffer overflows, use-after-free (UAF), race conditions, uninitialized variables
• ROP, heap massaging, ASLR bypass...

Hardware/Software Requirements

• A computer capable of running VMware Workstation Pro. It is free and downloadable from Broadcom website.
• We are going to use nested virtualization with multiple different hypervisors which will work only on VMWare Workstation.
• The processor of the computer must be an Intel or AMD x86 supporting VT-X or AMD-V. iMac based on ARM chips will not work.
• Linux host preferred. If host is Windows, Hyper-V must be disabled during training.
• Trainee must have administrator privileges on its computer.
• HexRays IDA with x64 decompiler.
• The IDA Free version is enough.
• IDA Pro with ARM decompiler and scripting capabilities is preferred.
• Your favorite code editor

Bio

Corentin Bayet is the CTO of REverse Tactics and a seasoned security researcher with over 7 years of experience in vulnerability research and exploitation. His expertise lies in low-level technologies, including operating systems, kernels, and hypervisors. Corentin has publicly demonstrated multiple VM escapes at high-profile events like Pwn2Own (2020, 2024), showcasing his advanced skills in hypervisor security. He has also delivered impactful talks on bug hunting in virtualization at renowned conferences such as EkoParty 2020, GreHack 2023, and GreHack 2024.

Bruno Pujos is the CEO and founder of REverse Tactics, bringing over 10 years of experience as a security researcher specializing in low-level systems and virtualization technologies. He has publicly demonstrated his expertise by achieving multiple VM escapes and privilege escalations on Windows at Pwn2Own (2020, 2022, 2024). Bruno is also an experienced trainer, having delivered advanced courses on reverse-engineering and bug hunting, including sessions focused on firmware and UEFI BIOS reverse engineering.

Trainers contact: contact@reversetactics.com

To Register

Click here to register.