Google Announces $250,000 Reward for Full VM Escape in New KVM Bug Bounty Program

 Google's new bug bounty program, kvmCTF, aims to identify and address vulnerabilities in the KVM hypervisor. The program functions like a Capture The Flag (CTF) event, where participants reserve time slots to access a guest VM in a lab environment and attempt guest-to-host attacks.

Google hopes the initiative will uncover virtual machine escapes, arbitrary code execution flaws, information disclosure issues, and denial-of-service (DoS) bugs.

"The goal of the attack must be to exploit a zero-day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability," Google explained in a blog post.

Participants can earn up to $250,000 for a full VM escape, $100,000 for an arbitrary memory write exploit, and $50,000 for an arbitrary memory read or a relative memory write exploit. DoS attacks can earn up to $20,000, and relative memory read flaws up to $10,000.

KVM is widely used in both consumer and enterprise solutions, including the Android and Google Cloud platforms, which is why Google is keen on enhancing the hypervisor’s security.

Common keywords related to this program include "Google bug bounty," "kvmCTF program," "KVM hypervisor vulnerabilities," "virtual machine escapes," "arbitrary code execution flaws," "information disclosure issues," "denial-of-service (DoS) bugs," "zero-day vulnerability," "full VM escape reward," and "Google Cloud security."


 complete rules for kvmCTF on GitHub(Google securityBlog )

Google is committed to enhancing the security of open-source technologies, especially those that make up the foundation for many of our products, like Linux and KVM. To this end we are excited to announce the launch of kvmCTF, a vulnerability reward program (VRP) for the Kernel-based Virtual Machine (KVM) hypervisor first announced in October 2023.

KVM is a robust hypervisor with over 15 years of open-source development and is widely used throughout the consumer and enterprise landscape, including platforms such as Android and Google Cloud. Google is an active contributor to the project and we designed kvmCTF as a collaborative way to help identify & remediate vulnerabilities and further harden this fundamental security boundary. 

Similar to kernelCTF, kvmCTF is a vulnerability reward program designed to help identify and address vulnerabilities in the Kernel-based Virtual Machine (KVM) hypervisor. It offers a lab environment where participants can log in and utilize their exploits to obtain flags. Significantly, in kvmCTF the focus is on zero day vulnerabilities and as a result, we will not be rewarding exploits that use n-days vulnerabilities. Details regarding the  zero day vulnerability will be shared with Google after an upstream patch is released to ensure that Google obtains them at the same time as the rest of the open-source community.  Additionally, kvmCTF uses the Google Bare Metal Solution (BMS) environment to host its infrastructure. Finally, given how critical a hypervisor is to overall system security, kvmCTF will reward various levels of vulnerabilities up to and including code execution and VM escape.

How it works

The environment consists of a bare metal host running a single guest VM. Participants will be able to reserve time slots to access the guest VM and attempt to perform a guest-to-host attack. The goal of the attack must be to exploit a zero day vulnerability in the KVM subsystem of the host kernel. If successful, the attacker will obtain a flag that proves their accomplishment in exploiting the vulnerability. The severity of the attack will determine the reward amount, which will be based on the reward tier system explained below. All reports will be thoroughly evaluated on a case-by-case basis.

The rewards tiers are the following:

  • Full VM escape: $250,000

  • Arbitrary memory write: $100,000

  • Arbitrary memory read: $50,000

  • Relative memory write: $50,000

  • Denial of service: $20,000

  • Relative memory read: $10,000

To facilitate the relative memory write/read tiers and partly the denial of service, kvmCTF offers the option of using a host with KASAN enabled. In that case, triggering a KASAN violation will allow the participant to obtain a flag as proof.

How to participate

To begin, start by reading the rules of the program. There you will find information on how to reserve a time slot, connect to the guest and obtain the flags, the mapping of the various KASAN violations with the reward tiers and instructions on how to report a vulnerability, send us your submission, or contact us on Discord.

Source: Rule refer from google security blog :

No comments:

Millions of mSpy Customer Records Compromised in Data Leak

  A major data leak exposed over 310 gigabytes of information from spyware developer mSpy, including 2.4 million unique email addresses. Thi...