Awesome Virtualization
A curated list of awesome resources about virtualization.
Table of Contents
- Chronology
- Documentation
- Books
- Courses
- Papers
- Research Projects
- Mainstream Hypervisors Documentation
- Hypervisor Development
- Virtual Machine Introspection
- Attacking Hypervisors
- Malware Analysis
Chronology
- 2005-November-13: Intel
VT-x
released onPentium 4
(Model662
and672
) processors - 2006-May-23: AMD
AMD-V
released onOrleans
andWindsor
processors - 2007-September-10 : AMD
Barcelona
addsRVI
(Rapid Virtualization Indexing) a.k.a (Nested Page Tables) a.k.a (SLAT
) - 2008-November: Intel
Nehalem
EPT
(Extended Page Tables) a.k.a (SLAT
)VPID
(Virtual Processor ID)
- 2010-January-7: Intel
Westmere
addsunrestricted guests
a.k.a (Real Mode Support) - 2013-June-4: Intel
haswell
:VMCS Shadowing
VMFUNC
,#VE
andEPTP
switching
- 2017
- June-21: AMD
EPYC
adds suport forSecure Encrypted Virtualization
(SEV) - AMD documents
Encrypted State
(SEV-ES)
- June-21: AMD
- 2019
- AMD documents
Secure Nested Paging
(SEV-SNP) - August-1: Intel
Ice Lake
EPT SPP
(EPT-Based Sub-Page Write Protection)- Virtualizing
Intel Processor Trace
output buffer using EPT
- AMD documents
- 2020-March: Intel documents
Hypervisor-Managed Linear Address Translation
(HLAT)
Documentation
Intel
AMD
Books
Courses
- Memory Virtualization playlist by Udacity
- Full Virtualization by Geoffrey Challen
- Xen and the Art of Virtualization by Geoffrey Challen
- Container Virtualization by Geoffrey Challen
- Open Security Training Advanced VT-x course
- From Kernel to VMM
- MMU Virtualization via Intel EPT
- Virtualization and Computing Lectures
Papers
- A comparison of software and hardware techniques for x86 virtualization by K. Adams and O. Agesen (2006)
- Bringing Virtualization to the x86 Architecture with the Original VMware Workstation by Edouard Bugnion, Scott Devine, Mendel Rosenblum, Jeremy Sugerman, And Edward Y. Wang
- The evolution of an x86 virtual machine monitor by O. Agesen, A. Garthwaite, J. Sheldon, and P. Subrahmanyam
- Formal Requirements for Virtualizable Third Generation Architectures by Gerald J. Popek & Robert P. Goldberg
- Modern Operating System 4th Edition (Chapter: Virtualization and the cloud) by Andrew Tanembaum
- Xen and the Art of Virtualization by Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield
- Understanding Full Virtualization, Paravirtualization and Hardware Assisted Virtualization by VMWare
- Dynamic Binary Translation from x86-32 code to x86-64 code for Virtualization by Yu-hsin Chen.
- MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel by Igor Korkin (2019)
- HyperDbg: Reinventing Hardware-Assisted Debugging
Research Projects
Mainstream Hypervisors Documentation
KVM
Xen
QEMU
VMware
VirtualBox
Hyper-V
- Hyper-V internals researches (2006-2019)
- 2015:
- 2017:
- 2018:
- 2019:
- 2020:
- Virtualization Documentation
- Hyper-V technet
- Hyper-V Internals
Hypervisor Development
Hypervisor From Scratch
- Part 1: Basic Concepts & Configure Testing Environment
- Part 2: Entering VMX Operation
- Part 3: Setting up Our First Virtual Machine
- Part 4: Address Translation Using Extended Page Table (EPT)
- Part 5: Setting up VMCS & Running Guest Code
- Part 6: Virtualizing An Already Running System
- Part 7: Using EPT & Page-Level Monitoring Features
- Part 8: How To Do Magic With Hypervisor!
5 Days to Virtualization
- Day 0: Virtual Environment Setup, Scripts, and WinDbg
- Day 1: Introduction to Virtualization, Type Definitions, and Support Testing
- Day 2: Entering VMX Operation, Explaining Implementation Requirements
- Day 3: The VMCS, Component Encoding, and Multiprocessor Initialization
- Day 4: VMCS Initialization, Segmentation, and Operation Visualization
- Day 5: The VM-exit Handler, Event Injection, Context Modifications, and CPUID Emulation
Virtual Machine Introspection
- Zero-Footprint Guest Memory Introspection from Xen by Mihai Dontu - [Slides] [Update]
- Hypervisor memory introspection at the next level
- Bringing Commercial Grade Virtual Machine Introspection to KVM by Mihai Donศu - [Slides]
- Hypervisor-based, hardware-assisted system monitoring
- Virtual Machine Introspection to Detect and Protect
- Hypervisor Memory Forensics - [Slides]
- Who Watches The Watcher? Detecting Hypervisor Introspection from Unprivileged Guests
- DRAKVUF Black-box Binary Analysis for in-depth execution tracing of arbitrary binaries
- Patchguard: Detection of Hypervisor Based Introspection - P1
- Patchguard: Detection of Hypervisor Based Introspection - P2
Attacking Hypervisors
- Blackhat 2010 - Hacking the Hypervisor
- Software Attacks on Hypervisor Emulation of Hardware - [Slides]
- Lessons Learned from Eight Years of Breaking Hypervisors - [Slides]
- Attacking Hypervisors Using Firmware And Hardware - [Slides]
- The Arms Race Over Virtualization - [Slides]
- Glitches in the Matrix โ Escape via NMI
- Hypervisor Vulnerability Research - State of the Art
KVM
- Virtualization under attack: Breaking out of KVM - [Slides]
- Performant Security Hardening of KVM by Steve Rutherford - [Slides]
Xen
- Ouroboros: Tearing Xen Hypervisor With the Snake
- Subverting the Xen hypervisor
- Preventing and Detecting Xen Hypervisor Subversions
- Bluepilling the Xen Hypervisor
- XenPwn: Breaking paravirtualized devices - [Slide]
- Advanced Exploitation: Xen Hypervisor VM Escape
- Xen exploitation part 1: XSA-105, from nobody to root
- Xen exploitation part 2: XSA-148, from guest to host
VMware
- Cloudburst: Hacking 3D And Breaking Out Of Vmware
- The Great Escapes Of Vmware: A Retrospective Case Study Of VMWare Guest-To-Host Escape Vulnerabilities
- Out of the Truman Show: VM Escape in VMware Gracefully
- Control Register Access Exiting and Crashing VMware
VirtualBox
- Unboxing your virtualBox - [Slides]
- Breaking Out of VirtualBox through 3D Acceleration - [Slides]
- VirtualBox VMSVGA VM Escape
- VirtualBox NAT DHCP/BOOTP server vulnerabilities
Hyper-V
- Awesome Hyper-V Exploitation
- 2014
- 2015
- 2018
- 2019
- 2020
CVEs
- Wandering through the Shady Corners of VMware Workstation/Fusion
- CVE-2018-2844: From Compiler Optimization to Code Execution - VirtualBox VM Escape
- CVE-2017-3558: Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy
- Better slow than sorry - VirtualBox 3D acceleration considered harmful
- Analyzing a Patch of a Virtual Machine Escape on VMware
- VirtualBox 3D Acceleration: An Acceleration Attack Surface
- A bunch of Red Pills: VMware Escapes
- SSD Advisory โ Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities
- Pandavirtualization: Exploiting the Xen hypervisor