Google is devoted to boosting the security of open-source technologies, specifically those that construct the groundwork for many of our products, like Linux and KVM. To this extent, we are thrilled to declare the inception of kvmCTF, a vulnerability compensation program (VRP) for the Kernel-based Virtual Machine (KVM) hypervisor initially revealed in October 2023.
KVM is a resilient hypervisor with over 15 years of open-source development and is widely utilized across the consumer and corporate scenery, including frameworks such as Android and Google Cloud. Google actively contributes to the project and we devised kvmCTF as a cooperative method to identify & fix vulnerabilities and further reinforce this basic security limit.
Comparable to kernelCTF, kvmCTF is a vulnerability compensation program devised to identify and tackle vulnerabilities in the Kernel-based Virtual Machine (KVM) hypervisor. It provides a lab setting where participants can log in and utilize their exploits to acquire flags. Notably, in kvmCTF the emphasis is on zero day vulnerabilities and consequently, we will refrain from rewarding exploits that utilize n-days vulnerabilities. Information regarding the zero day vulnerability will be disclosed to Google after an upstream patch is issued to make certain that Google accesses them concurrently with the rest of the open-source community. Additionally, kvmCTF leverages the Google Bare Metal Solution (BMS) environment to host its infrastructure. Lastly, given the critical role a hypervisor plays in overall system security, kvmCTF will compensate various tiers of vulnerabilities up to and including code execution and VM escape.
Operational Mechanism
The setting comprises a bare metal host running a solitary guest VM. Participants will have the opportunity to secure time slots to access the guest VM and strive to execute a guest-to-host assault. The intention of the assault should be to exploit a zero day vulnerability in the KVM component of
Exploiting the main kernel. Once successful, the intruder will gain a flag confirming their achievement in taking advantage of the weakness. The level of the intrusion will determine the monetary reward, varying based on the reward level system detailed below. Each report will be carefully reviewed individually.
The different reward categories are as follows:
-
Complete VM escape: $250,000
-
Random memory overwrite: $100,000
-
Random memory access: $50,000
-
Relative memory overwrite: $50,000
-
Service denial: $20,000
-
Relative memory access: $10,000
To aid in the relative memory overwrite/read categories and to some extent the service denial, kvmCTF presents the opportunity to utilize a host with KASAN enabled. In such instances, triggering a KASAN violation will provide the participant with a flag as evidence.
Ways to engage
To get started, commence by reading the guidelines of the initiative. In this document, you will discover details on reserving a time slot, connecting to the guest system, retrieving the flags, the correlation of different KASAN violations with the reward levels, and instructions on how to disclose a vulnerability, submit your findings, or reach us via Discord.
About Author
