Bug Hunting in Hypervisors


Instructors:    Corentin Bayet and Bruno Pujos
Dates:  June 23 to 26 2025
Capacity:   15


Hypervisors are complex software that play a critical role in modern infrastructure, but like any software, they-re not immune to flaws which can be exploited by sophisticated attackers. This training dives into the technical depths of virtualization technologies and explores the flaws leading to virtual machine (VM) escapes. During this training, you will be able to sharpen your skills on multiple platforms from the initial analysis of a target to exploiting real world vulnerabilities.

The course explores the attack surfaces hypervisors expose to their guests, both statically and dynamically. By breaking down how virtual machines communicate with hypervisors and their internal components, participants will learn to apply their existing vulnerability research and exploitation skills to any virtualization software. The training also provides detailed insights for each studied target, including their architectures, typical vulnerabilities, and guidance for effective bug hunting.

This course is ideal for security researchers and vulnerability analysts who are already familiar with low-level systems programming and common exploitation techniques but are new to hypervisor internals. By the end of the training, participants will have a solid foundation in virtualization attack surfaces and vulnerability research as well as the ability to craft proof-of-concept exploits targeting hypervisors.



KEY LEARNING OBJECTIVES




CLASS OUTLINE



1. Hypervisor basics:

Main foundational concepts of hypervisors and their role in virtualization will be introduced:





2. Interacting with the hypervisor

Students will learn how virtual machines communicate with hypervisors and how to replicate these interactions for bug hunting:





3. Navigating and understanding the code base

Participants will learn to effectively navigate both open-source and proprietary hypervisor codebases:





4. Bug Hunting

Trainers will outline a structured approach to identifying and exploiting vulnerabilities in hypervisors:




Assignments


Assignments are divided into several steps and integrated throughout each day of training. Each day focuses on a different hypervisor to demonstrate the concepts covered. For each target, students will have the opportunity to analyze and exploit at least one real-world n-day vulnerability that impacted the hypervisor.



Explore Device Emulation on QEMU/KVM

In this assignment, participants will explore the details of QEMU's device emulation to uncover potential vulnerabilities. The focus is on understanding and interacting with the hypervisor's behavior through the guest system and analyzing how I/O operations are managed.

Along the day, participants will explore common communication patterns and device interactions, and develop the skills needed to pinpoint their first vulnerabilities in a crafted emulated device.

In the final stage of this assignment, students will extend their knowledge to identify and trigger a real-world vulnerability that affected a previous version of QEMU.



VirtualBox Code Navigation and Exploit Development

This assignment introduces VirtualBox as a target for exploitation. Participants will explore aspects of VirtualBox's I/O handling and device emulation to identify vulnerabilities. Throughout the day, participants will work with VirtualBox's codebase, learning how to systematically navigate and analyze the architecture of an open-source hypervisor.

By applying learned methodologies, they will analyze memory mapping operations, locate potential bugs, and develop a proof-of-concept exploit for a selected vulnerability. The focus is on understanding typical bugs in hypervisors and how to approach them systematically.



Reverse & Bug Hunting in VMware

In the first part of the assignment, participants will reverse engineer components of VMware's closed-source hypervisors. They will map critical functions related to memory management and I/O handling. The assignment aims to provide insights into finding vulnerabilities in a closed-source environment, teaching participants to map code paths and identify areas prone to bugs or exploitation. Students will receive pre-symbolized IDA databases to assist in navigating the code.

The last part of the assignment brings together all skills developed during the training. Participants will analyze both VMware ESXi and Workstation to identify n-day vulnerabilities and attempt to develop proof-of-concept exploits. This exercise involves understanding the architectural differences between ESXi and Workstation, identifying attack surfaces, and crafting targeted exploits.



Prerequisites


Hardware/Software Requirements



Bio


Corentin Bayet is the CTO of REverse Tactics and a seasoned security researcher with over 7 years of experience in vulnerability research and exploitation. His expertise lies in low-level technologies, including operating systems, kernels, and hypervisors. Corentin has publicly demonstrated multiple VM escapes at high-profile events like Pwn2Own (2020, 2024), showcasing his advanced skills in hypervisor security. He has also delivered impactful talks on bug hunting in virtualization at renowned conferences such as EkoParty 2020, GreHack 2023, and GreHack 2024.


Bruno Pujos is the CEO and founder of REverse Tactics, bringing over 10 years of experience as a security researcher specializing in low-level systems and virtualization technologies. He has publicly demonstrated his expertise by achieving multiple VM escapes and privilege escalations on Windows at Pwn2Own (2020, 2022, 2024). Bruno is also an experienced trainer, having delivered advanced courses on reverse-engineering and bug hunting, including sessions focused on firmware and UEFI BIOS reverse engineering.


Trainers contact: contact@reversetactics.com

To Register

Click here to register.