Hypercall Security Assessment Checklist

What are the checklist items when secure auditing hypercalls?

a. What are the hypercall instructions, and their input/output registers and side effects?

b. What are the privileges available when executing the hypercalls?

c. Are there any opportunities for transiting to other privilege level during runtime? If there is then under what conditions and requirements?

d. How to check through all the software boundary between the two different privilege level – and ensuring that reasonable checks are done before passing information from one side to another?

e. Any dependencies/races conditions on usage at runtime between different/same instructions by multiple CPU cores?

https://www.coursehero.com/file/p7bq556/8-Hypercalls-are-analogous-to-system-calls-in-the-OS-world-While-VM-Exits-are/

https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html https://www.researchgate.net/post/Problem_with_hypercall_KVM_Xen

https://research.spec.org/fileadmin/user_upload/documents/wg_ids/endorsed_publications/SPEC-RG-2014-001_HypercallVulnerabilities.pdf

https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html

https://reviews.freebsd.org/D8100?id=20886

ftp://netbsd.ftp.fu-berlin.de/misc/joerg/XEN3DOMU/src/src/sys/arch/xen/include/amd64/hypercalls.h.html

http://wwwi10.lrr.in.tum.de/~weidendo/lehre/VT-WS15/lab3-loesung.pdf

Project Zero: Pandavirtualization: Exploiting the Xen hypervisor

https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

Below are security strengthening of KVM as done by Google:

https://www.linux-kvm.org/images/f/f6/01×02-KVMHardening.pdf

https://www.theregister.co.uk/2017/01/30/google_cloud_kicked_qemu_to_the_kerb_to_harden_kvm/

https://cloud.google.com/blog/products/gcp/7-ways-we-harden-our-kvm-hypervisor-at-google-cloud-security-in-plaintext

Security checklist in general for Google:

https://cloud.google.com/security/infrastructure/design/

KVM in general:  https://lwn.net/Articles/619376/

Learning about RUMP kernel

https://blog.netbsd.org/tnf/entry/a_rump_kernel_hypervisor_for

https://github.com/rumpkernel/wiki/wiki/Tutorial:-Getting-started

https://github.com/rumpkernel/wiki/wiki/Info:-Comparison-of-rump-kernels-with-similar-technologies

http://rumpkernel.org

https://www.netbsd.org/gallery/presentations/justin/2015_AsiaBSDCon/justincormack-abc2015.pdf

http://netbsd.gw.com/cgi-bin/man-cgi?rumpuser+3+NetBSD-current

https://news.ycombinator.com/item?id=8608736

CTF writeup roundup

https://www.defcon.org/html/links/dc-ctf.html

https://dttw.tech/posts/r1jswRaAG

https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack

https://github.com/qazbnm456/awesome-cve-poc

https://github.com/vermuz/awesome-shell-1

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

https://www.defcon.org/html/links/dc-ctf.html

https://github.com/ctfs/write-ups-2016

https://ctftime.org/event/459/tasks/

https://ctftime.org/writeups

https://www.securifera.com/blog/2017/06/18/defcon-ctf-2017-divided-writeup/

https://chc.cs.cornell.edu/writeups/

https://st98.github.io/diary/posts/2017-05-02-def-con-ctf-2017-qualifiers.html

https://github.com/abatchy17/WindowsExploits

TF Internetwache 2016.
https://www.youtube.com/watch?v=6cYZJLcC6Eo

https://www.youtube.com/watch?v=AKs277vpVSY

https://github.com/AusJock/Privilege-Escalation

https://github.com/BuddhaLabs/PacketStorm-Exploits

https://kitctf.de/writeups/