Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks

TL;DR

This paper introduces a new perspective on hypervisor exploitation by leveraging weak memory isolation, enabling cross-domain attacks that reuse guest memory for capability escalation, validated across multiple vulnerabilities.

Contribution

It provides the first systematic characterization of Cross-Domain Attacks and develops an automated system to identify and exploit such vulnerabilities in hypervisors.

Findings

CDA is applicable to 15 real-world vulnerabilities.

The system successfully automates exploit chain synthesis.

CDA demonstrates effectiveness in practical hypervisor environments.

Abstract

Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation -- guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.