Hypervisors are under threat by critical memory safety vulnerabilities, with pointer corruption being one of the most prevalent and severe forms. Existing exploitation frameworks depend on identifying highly-constrained structures in the host machine and accurately determining their runtime addresses, which is ineffective in hypervisor environments where such structures are rare and further obfuscated by Address Space Layout Randomization (ASLR). We instead observe that modern virtualization environments exhibit weak memory isolation -- guest memory is fully attacker-controlled yet accessible from the host, providing a reliable primitive for exploitation. Based on this observation, we present the first systematic characterization and taxonomy of Cross-Domain Attacks (CDA), a class of exploitation techniques that enable capability escalation through guest memory reuse. To automate this process, we develop a system that identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Our evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox shows that CDA is widely applicable and effective.

翻译：虚拟机监控程序正面临严重的内存安全漏洞威胁，其中指针破坏是最普遍且危害性最强的形式之一。现有利用框架依赖于识别宿主机中高度受限的结构并精确确定其运行时地址，这在虚拟机监控程序环境中效果有限，因为此类结构极为罕见且受到地址空间布局随机化的进一步混淆。我们研究发现，现代虚拟化环境存在内存隔离薄弱的问题——客户机内存完全由攻击者控制却可从宿主机访问，这为漏洞利用提供了可靠的原语。基于此发现，我们首次对跨域攻击进行了系统性特征描述与分类研究，该类利用技术通过客户机内存重用实现权限提升。为实现自动化利用，我们开发了一套系统，能够识别跨域代码片段、匹配损坏指针、合成触发输入并组装完整利用链。在QEMU和VirtualBox的15个真实漏洞上的评估表明，跨域攻击具有广泛适用性和高效性。