kvmCTF: Google’s $250K Bounty for KVM Zero-Day Vulnerabilities
In October 2023, Google announced the launch of kvmCTF, a new vulnerability reward program (VRP) designed to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor. This innovative program comes with bounties of up to $250,000 for full VM escape exploits, marking a significant step in fortifying virtual machine (VM) environments against zero-day vulnerabilities.
The kvmCTF Program
As an active and key contributor to KVM, Google developed kvmCTF as a collaborative platform to identify and fix vulnerabilities. This initiative aims to bolster the security of the KVM hypervisor, which is vital for the stability and security of various systems.
Like Google’s kernelCTF vulnerability reward program, which targets Linux kernel vulnerabilities, kvmCTF focuses on VM-reachable bugs in the KVM hypervisor. The primary goal is to execute successful guest-to-host attacks, specifically targeting zero-day vulnerabilities.
Reward Tiers
This program offers substantial rewards for discovering and exploiting vulnerabilities. The reward structure is as follows:
- Full VM escape: $250,000
- Arbitrary memory write: $100,000
- Arbitrary memory read: $50,000
- Relative memory write: $50,000
- Denial of service: $20,000
- Relative memory read: $10,000
Program Mechanics
Security researchers who enroll in this program are provided with a controlled lab environment where they can use exploits to capture flags. Unlike other VRPs, kvmCTF focuses solely on zero-day vulnerabilities, excluding exploits targeting known vulnerabilities.
The kvmCTF infrastructure is hosted on Google’s Bare Metal Solution (BMS) environment, underscoring the program’s commitment to high-security standards. Participants can reserve time slots to access the guest VM and attempt guest-to-host attacks. The severity of the attack determines the reward amount based on the established reward tiers.
To ensure responsible disclosure, Google will receive details of discovered zero-day vulnerabilities only after upstream patches are released. This approach ensures that the information is shared with the open-source community simultaneously, fostering a collaborative effort to enhance the security of KVM.
Conclusion
To participate, researchers must review the kvmCTF rules, which include detailed instructions on reserving time slots, connecting to the guest VM, obtaining flags, mapping various KASAN (Kernel Address SANitizer) violations to reward tiers, and reporting vulnerabilities. This comprehensive guide helps participants navigate the process and contribute effectively to the program.
This initiative represents a significant advancement in the ongoing effort to secure virtual machine environments. By incentivizing the discovery of zero-day vulnerabilities and promoting collaboration with the security community, it aims to enhance the robustness of the KVM hypervisor. As the program progresses, it is expected to play a pivotal role in safeguarding the infrastructure that underpins a vast array of consumer and enterprise applications.
The sources for this article include a story from BleepingComputer.