Gaoning Pan (Hangzhou Dianzi University & Zhejiang Provincial Key Laboratory of Sensitive Data Security and Confidentiality Governance), Yiming Tao (Zhejiang University), Qinying Wang (EPFL and Zhejiang University), Chunming Wu (Zhejiang University), Mingde Hu (Hangzhou Dianzi University & Zhejiang Provincial Key Laboratory of Sensitive Data Security and Confidentiality Governance), Yizhi Ren (Hangzhou Dianzi University & Zhejiang Provincial Key Laboratory of Sensitive Data Security and Confidentiality Governance), Shouling Ji (Zhejiang University)
Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation — guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.