Running Bindiff/Diaspora reveals backdoored `handle_vmread` and `handle_vmwrite` functions for nested VMX emulation from the L1 hypervisor - arbitrary OOB read/write is provided through x86 debug registers. There are many ways to compromise the L1 host at this point. My approach was to just gather enough leaks to inject a 1 GB rwx shellcode page in the L1 kernel PUD tables and hijack the function pointer located at `kvm->arch.kvmclock_update_work.work.func`.