After the spring festival, I am considering what to do besides my research work. Since it seems that VM escape has become a routine challenge in recent CTFs. A zero day is even used as a challenge in 34C3 CTF. I think it’s time to start a new journey on vm escape.
Inspired by the post by Hama , I plan to divide the process into three parts.
Part 1: Simplified challenge in CTF
(1) Christmas CTF 2017 ChildVM 
(2) Seccon CTF 2017 VM_NO_FUN 
(3) 34C3 CTF 2017 LFA 
Part 2: QEMU Escape
More background knowledges are required.
(1) QEMU Escape 
(2) HITB 2017 Baby QEMU 
(3) 0CTF 2017 Final QEMUESCAPE  (but the challenge files are missing)
Part 3: Vulnerability Analysis
(1) Replay CVE-2015-5165 and CVE-2015-5704 in 
(2) Play CVE-2018-2698 
Virtualization is a huge topic. And VM escape requires deep knowledge on the operating system. Besides the challenges or write-ups above, I may also write some blog demonstrating the background of virtualization technology. At present, I am not sure how far I can travel on this journey. Write this post to push me towards goal step by step.
 QEMU Escape http://www.phrack.org/papers/vm-escape-qemu-case-study.html
 HITB 2017 Baby QEMU https://kitctf.de/writeups/hitb2017/babyqemu
 0CTF 2017 Final QEMUESCAPE http://blog.eadom.net/writeups/qemu-escape-vm-escape-from-0ctf-2017-finals-writeup/
 Christmas CTF 2017 ChildVM http://hama.hatenadiary.jp/entry/2017/12/26/234306
 34C3 CTF BabyVM https://github.com/niklasb/34c3ctf-sols/blob/master/babyvm/README.md
 SECCON CTF 2017 VM_NO_FUN https://github.com/SECCON/SECCON2017_online_CTF/tree/master/pwn/500_vm_no_fun
 HITCON 2017 CTF Real Ruby Escaping https://github.com/david942j/ctf-writeups/tree/master/hitcon-quals-2017/real-ruby-escaping/sandbox
 34C3 CTF LFA http://gcli.cn/2017/12/31/LFA/
 CVE-2018-2698 https://blogs.securiteam.com/index.php/archives/3649
 CVE-2018-2698 https://www.exploit-db.com/exploits/43878/
2 thoughts on “Go for VM escape!”
Will you exploit Meltdown and Spectre vulnerabilities? In July 2018, two more bugs revealed: ret2spec and SpectreRSB. Meltdown is the third variant of Spectre.
Sorry. I am not familiar with hardware vulnerability and have no plan for that at present.