Zero Day Engineering

Training Classes

Hypervisor Exploitation One:
System Internals & Vulnerabilities

Learn to discover, analyze, and prototype security vulnerabilities in arbitrary virtualization software through a generalized and systematical perspective, based on effective abstractions, concrete implementation details, inspection of known bugs, and cross-domain insights of the instructor. More details. - 20th May, 06 June, 13 June, 2020: ONLINE (3 days, 09-17 UTC) - 27-29th August, 2020: ONLINE (3 days, 09-17 UTC)


iBootcamp is an experimental, online-only, multistaged training course on iOS internals, vulnerability discovery and exploit development, created for beginners. More details - 12-21 December, 2019: ONLINE (10 days) Stage 0: Reconnaissance - 25-29 May, 2020: ONLINE (5 days, 2 hours per day) Stage 3: iOS Kernel - TBA, 2020 Stage 4: iOS Bootchain


System Internals

Hyper-V Internals and LIS Microsoft Hyper-V relies on two core mechanisms for inter-partition and hypervisor communications: the hypercall interface and the VMBUS. This note constitutes a fairly complete and technically concise overview of an implementation of both at the core level. iBoot Heap Internals This research note provides a basic technical outline of the Apple bootchain's heap internals, key algorithms, and security mitigations. iBoot Address Space This Research Note documents a generalized perspective on Apple devices' bootchain memory layout across all stages of the boot process, and specifically relevant to SecuROM and iBoot. As a case study, a detailed memory map of iPhone 5 during boot is presented. * links to Alisa's Research Notes 

Proof of Concepts

CVE-2018-6981: VMWare Workstation and ESXi vmxnet3 Uninitialized Variable Vulnerability Proof-of-concept testcase for one of the bugs leveraged at GeekPwn2018 to achieve a full VM escape from VMWare ESXi, recreated from the respective binary security patch. Technically it's a patch for Linux vmxnet3 kernel mode driver implementation. CVE-2019-0717: Hyper-V Virtual Network Switch (vmswitch.sys) VmsMpCommonPvtSetRequestCommon Out of Bounds Read DoS Vulnerability Proof-of-concept testcase for a Tier 1 (host partition kernel) vulnerability in Microsoft Hyper-V. This is a patch for rndis_filter.c Linux kernel mode driver, on of the Hyper-V paravirtualization drivers built-in in the Linux kernel. CVE-2018-XXXX: VirtualBox 3D Virtualization Memory Corruption Elevation of Privilege Vulnerability (multiple) In 2018 I found a few dozens of bugs in the Oracle VirtualBox (old) 3D acceleration implementation, based on Chromium. This repo contains a subset of analysis reports sent to the Zero Day Initiative. * selected links to my github stash

About Us is an educational project focused on advanced vulnerability discovery and exploit development for modern and popular software systems. We maintain a continuous internal research process aiming at strategic zero-day vulnerability discovery in many modern software systems; participate in official security bounty programs of major software vendors; share selected research and analysis notes with the community; and develop commercial training classes based on the privately and independently obtained deep technical knowledge. Feel free to contact us if you want to book a public or private class, purchase e-learning materials based on our past trainings, suggest a collab project, or host our training classes at your venue. Channel: @alisaesagechan Email: [PGP key] Warning: this email is the only point of contact with us, or in person with Alisa Esage, creator of the project.