Nice job on the writeup!

I exploited the second part of abyss slightly differently. I realized that the kernel memory actually directly mapped to offset 0 in the hypervisor memory; the virtual address of the kernel is just ORed with 0x800000 or something like that. So actually I ended up using writing a "read" request to hypervisor to overwrite address zero of kernel and then passing that to "open"