In this video Alisa shows a full walkthrough of remote kernel debugging KVM hypervisor on Linux.
KVM is distinguished from Qemu: the latter runs in user mode to handle device virtualization, while the former runs in privileged kernel to implement just the core hypervisor functionality (VMM). KVM-Qemu combo is a popular choice for production grade virtualization on Linux platform, while KVM paired with custom device virtualization systems (such as Amazon’s firecracker) runs billions of virtual machine instances in hosted clouds. Actually, both KVM and Qemu are self-contained virtualization tools that can run stand-alone with certain technical restrictions; KVM being the hardest to attack.
Target of debugging here is the KVM hypervisor itself, not the Guest OS kernel and not Linux Kernel over KVM-based virtualization.
Hypervisor Attack Surface Model™:
Qemu: AS2 “Virtualized Devices”
KVM: AS3 “VMM”
Debugging setup:
– Host: Ubuntu 22.04 LTS
– Target: KVM hypervisor on Ubuntu 24.04 LTS with stock kernel, running in a VirtualBox VM with nested hardware virtualization.
Arguably, running target VM in Qemu instead of VirtualBox might be more technically correct, as Qemu has specialized features to facilitate Linux Kernel debugging. Here VirtualBox is preferred to advance state of the art a bit, and there were no public writeups on how to debug kvm hypervisor target before this video.
About nested virtualization: actually, using two physical machines to setup kernel debugging wouldn’t make a big difference in this particular scenario, the underlying communication mechanism is the same (serial port). KVM code which executes in nested vs. physical scenario IS different, but not much.
KVM without Qemu is unable to virtualize a full-fledged operating system image, so Guest VM here is represented with a simple snippet of assembly code doing a low-level device IO test where normally OS boot loader code would kick off.
Website:
Youtube:
Twitter:
Twitter:
Telegram:
Discord:
#stateoftheart #hacking
[ad_2]
source
