Ring 0 to Ring -1 Exploitation with Hyper-V IPC presented at Syscan 2015

by Alex Ionescu,

Summary : 2015 will finally be the year of virtualization on the desktop. With Intel's Haswell processor now supporting nested/shadow VMCS, virtualized operating systems can run inside of other virtual stacks, and soon, you'll be able to run a Windows with Hyper-V inside a VirtualBox VM inside of a Linux container inside of AWS (VMWare already supported this – but using software emulation).
Fully aware of the impact of virtualization, Microsoft first introduced Client Hyper-V in Windows 8.1, opening up the hypervisor to all customers. And in Windows 10, a number of new technologies, such as DrawBridge/Pico/Docker and Virtual Secure Machine (VSM)/Secured Processes will be announced and exposed to developers.
With Hyper-V already powering Azure, and poised to take an increasing presence in the very core of the Windows kernel (perhaps running in fully-virtualized mode at all times in a future version), does anyone really understand how Hyper-V works and what its security boundaries are?
By piecing together various pieces of information from the Web, forums, lost header files, and research projects, plus heavy reverse engineering, this talk will introduce attendees to a quick overview of Hyper-V internals (especially from the security angle), and focus on how inter-partition security boundaries are implemented, and what holes exist to permit IPC between guest(s) and host.
We'll end the talk with a live demonstration of a Hyper-V exploit that leverages the IPC mechanisms to attack a Windows 7 partition from a Windows 8.1 partition.