From KVM to Mobile Security Platforms - Attacking Hypervisors

Instructors:  zi & Specter
Dates:  June 23 to 26 2025
Capacity:   20 Seats

This training will equip students with an understanding of modern virtualization architecture and attack surfaces with a focus on KVM, while also looking at Samsung Knox's Real-time Kernel Protection (RKP), Huawei's Hypervisor Execution Environment (HHEE). Through structured labs, students will build the intuition to be able to effectively find and exploit design flaws and memory corruption issues within hypervisors, and attack hypervisor-enforced security mechanisms.

Course Topics

We'll start by covering the fundamentals of how hardware-assisted virtualization works and the overall structure of common hypervisors, using Linux KVM as a real-world target to learn from.

• Fundamentals of hardware-based virtualization
• Structure and design of hypervisors
• Auditing source code
• Architectural differences (VMX, SVM, VHE)
• Understanding architectural level operations in KVM
• Model-specific registers (MSRs)

From there, we'll look at the security model and consequences of vulnerabilities in the hypervisor.

• Unique considerations and challenges
• Primitives and attack strategies
• Extended paging and in-depth memory virtualization
• Devices and Memory-Mapped I/O (MMIO)
• Attacking hypervisors using auxiliary devices

The final two days of the training we dive into security-focused hypervisors with a particular emphasis on mobile security platforms.

• Survey of hypervisor-enforced security
• Unique considerations and distinct security features
• Reverse Engineering closed-source hypervisors
• Mobile Security Hypervisors
• Samsung's Real Time Kernel Protection (RKP)
• Huawei Hypervisor Execution Environment (HHEE)
• Gaming console security
• Trends and the future

Students can expect to take part in multiple hands-on labs each day, utilizing a split of theory followed by practical exercises. Labs will include setting up debugging environments, reverse engineering of a mobile hypervisor, and writing a small operating system as an attack platform. We will also analyze, root cause, and exploit real-world N-day vulnerabilities on different hypervisors.

Prerequisites

• Understanding of C and memory semantics
• Knowledge of basic memory corruption exploitation (ROP)
• Familiarity with command line and python scripting
• Some familiarity with reading x86_64 and/or ARM assembly
• Some experience with reverse engineering tools like Ghidra (or Binary Ninja)

HARDWARE REQUIREMENTS

• Modern 64-bit CPU with hardware virtualization support
• Intel Architecture preferred but AMD can be accommodated
• Minimum 16GB RAM
• At least 50GB space
• At least one free USB-A port

SOFTWARE REQUIREMENTS

• VMware Workstation Pro 17
• Ghidra (or Binary Ninja)
• Python 3.10+

WHO SHOULD ATTEND

• Security researchers interested in virtualization
• Penetration testers with a focus on low-level security
• Red teamers
• Platform and system developers
• Kernel developers and researchers

Bio

zi started off as a game developer building anti-cheat and bot detection systems before moving into security consulting. After seven years of breaking into everything from mobile operating systems to cloud services at Security Innovation, worked as an independent researcher and then co-founded Dayzerosec, diving into Android kernel research before shifting focus to hypervisors. Along the way, they've taken on fun side quests, like reviving a long-dead PlayStation 2 game-server by reverse-engineering its client and hacking his university's audience polling system to spoof attendance.

Specter is a security researcher and co-founder of Dayzerosec who specializes in kernel exploitation and virtualization, with a focus on Android mobile research and Linux. He also has been working on console research on the side for six years, and has recently been focusing on the PlayStation 5 hypervisor, and has presented such research.

To Register

Click here to register.