BU-led Team Takes Second Place at IEEE HOST 2025 Hardware Hacking Competition

Expose Critical Cloud Hardware Vulnerability in Widely Used Technique

By Maureen L. Stanton

A team from Boston University, in collaboration with researchers at IBM and Red Hat, earned second place at the inaugural hardware hacking competition at the IEEE International Symposium on Hardware Oriented Security and Trust (HOST). In their demonstration, they exposed a critical vulnerability in a common method used by cloud providers to share hardware resources across multiple users.

The demo was led by Chathura Rajapasha, BU PhD candidate of Electrical and Computer Engineering (ECE) with BU ECE Professors  Manuel Egele and Ajay Joshi; IBM researchers Sandhya Koteshwara, Apoorve Mohan, and Hubertus Franke; and Ret Hat researcher Bandan Das.

Their project, titled “Attacking Cloud Systems using Passed-through PCIe Devices,” focused on a key performance optimization known as PCI passthrough. This technique is widely used in cloud environments to give virtual machines (VMs) direct access to physical PCI Express (PCIe) devices like GPUs and NVMe drives. While PCI passthrough boosts performance, the team showed it can also introduce serious security risks.

In a live demonstration, the team showed how a malicious VM could write to a specific, unassigned area of a PCIe device’s configuration space, causing a severe error that either crashes the host or renders the device unusable. This attack effectively performs a denial-of-service (DoS), disrupting all other VMs on the same host until it is rebooted. Their presentation also explored factors that make this vulnerability possible, looking across different layers of the virtualization stack, including the hardware, system software, and hypervisor implementation.

Chathura Rajapaksha, BU PhD candidate of Electrical and Computer Engineering (ECE), advised by ENG Professor Ajay Joshi

“This is the first work we’re aware of that shows how writing to an unassigned area of a PCIe device’s configuration space can trigger serious errors, including allowing a VM to take down the host system,” says Chathura. “Our work highlights the need to look beyond just the software stack when securing cloud environments. Staying ahead of emerging threats will require closer collaboration between system architects, virtualization stack developers, and hardware manufacturers.”

The research team believes that this attack demonstration will shed light on an often-overlooked aspect of hardware security, highlighting vulnerabilities that deserve greater scrutiny. By showcasing this attack vector, they aim to encourage deeper research and discussion within the security community, ultimately driving innovation in defensive strategies.

Held May 5–8, 2025, in San Jose, California, this event brought together hardware security enthusiasts, students, and professionals to showcase their skills in real-life hardware and embedded systems hacking. Learn more about the event here.

This work was funded through the 2025 Red Hat Collaboratory Research Incubation Award.