ClickCease kvmCTF: Google's $250K Bounty for KVM Zero-Day Vulnerabilities

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

kvmCTF: Google’s $250K Bounty for KVM Zero-Day Vulnerabilities

by Rohan Timalsina

August 1, 2024 - TuxCare expert team

In October 2023, Google announced the launch of kvmCTF, a new vulnerability reward program (VRP) designed to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor. This innovative program comes with bounties of up to $250,000 for full VM escape exploits, marking a significant step in fortifying virtual machine (VM) environments against zero-day vulnerabilities.

 

The kvmCTF Program

 

As an active and key contributor to KVM, Google developed kvmCTF as a collaborative platform to identify and fix vulnerabilities. This initiative aims to bolster the security of the KVM hypervisor, which is vital for the stability and security of various systems.

Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel vulnerabilities, kvmCTF focuses on VM-reachable bugs in the KVM hypervisor. The primary goal is to execute successful guest-to-host attacks, specifically targeting zero-day vulnerabilities.

 

Reward Tiers

This program offers substantial rewards for discovering and exploiting vulnerabilities. The reward structure is as follows:

  • Full VM escape: $250,000
  • Arbitrary memory write: $100,000
  • Arbitrary memory read: $50,000
  • Relative memory write: $50,000
  • Denial of service: $20,000
  • Relative memory read: $10,000

 

Program Mechanics

 

Security researchers who enroll in this program are provided with a controlled lab environment where they can use exploits to capture flags. Unlike other VRPs, kvmCTF focuses solely on zero-day vulnerabilities, excluding exploits targeting known vulnerabilities.

The kvmCTF infrastructure is hosted on Google’s Bare Metal Solution (BMS) environment, underscoring the program’s commitment to high-security standards. Participants can reserve time slots to access the guest VM and attempt guest-to-host attacks. The severity of the attack determines the reward amount based on the established reward tiers.

To ensure responsible disclosure, Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released. This approach ensures that the information is shared with the open-source community simultaneously, fostering a collaborative effort to enhance the security of KVM.

 

Conclusion

 

To participate, researchers must review the kvmCTF rules, which include detailed instructions on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN (Kernel Address SANitizer) violations to reward tiers, and reporting vulnerabilities. This comprehensive guide helps participants navigate the process and contribute effectively to the program.

This initiative represents a significant advancement in the ongoing effort to secure virtual machine environments. By incentivizing the discovery of zero-day vulnerabilities and promoting collaboration with the security community, it aims to enhance the robustness of the KVM hypervisor. As the program progresses, it is expected to play a pivotal role in safeguarding the infrastructure that underpins a vast array of consumer and enterprise applications.

 

The sources for this article include a story from BleepingComputer.

Summary
kvmCTF: Google's $250K Bounty for KVM Zero-Day Vulnerabilities
Article Name
kvmCTF: Google's $250K Bounty for KVM Zero-Day Vulnerabilities
Description
Google launches kvmCTF: a Vulnerability Reward Program offering $250,000 for KVM zero-day vulnerabilities.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!