Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

This training will equip students with an understanding of modern virtualization architecture and attack surfaces with a focus on KVM, while also looking at Samsung Knox's Real-time Kernel Protection (RKP), Huawei's Hypervisor Execution Environment (HHEE), and Hyper-V. Through structured labs, students will build the intuition to be able to effectively find and exploit design flaws and memory corruption issues within hypervisors, and attack hypervisor-enforced security mechanisms.

What to Expect? | Key Learning Objectives:

Students can expect to explore how low-level software interacts with hardware to enable virtualization and enforce hypervisor-level security features. The course will have students reverse-engineer, analyze, and exploit vulnerabilities within the core of modern hypervisors, including logic-level design flaws, hardware-assisted attacks, and how memory corruption can be used to undermine hypervisor integrity. Students will gain direct experience working with multiple hypervisors, starting with KVM on x86-64, and moving into security hypervisors like Samsung Knox RKP and Huawei's HHEE.

Training Detailed Description:

Day 1: Intro and KVM

• Fundamentals of hardware-based virtualization
• Structure and design of hypervisors
• Navigating KVM Source Code
• Architectural differences (VMX, SVM, VHE)
• Understanding VMX/SVM operations in KVM
• Model-specific registers (MSRs)
• Case-study of KVM logic vulnerability
• [Lab] Setting up a working environment and debugging for KVM
• [Lab] Writing a mini OS for attacking hypervisors
• [Lab] Diffing & Exploiting a KVM design flaw

Day 2: Advanced hypervisor exploitation

• Overview of memory corruption in hypervisors
• Unique considerations and challenges
• Common primitives and attack strategies
• Extended paging and in-depth memory virtualization
• [Lab] Exploiting a KVM memory corruption bug
• Devices and Memory-Mapped I/O (MMIO)
• [Lab] Attacking KVM from auxiliary devices

Day 3: Security Hypervisors

• Survey of hypervisor-enforced security
• Unique considerations and distinct security features
• Mobile Security Hypervisors (RKP and HHEE)
• Microsoft Hyper-V
• Sony PlayStation 5
• Challenges and approaches
• Samsung RKP or Huawei HHEE
• [Lab] Reverse engineering RKP/HHEE
• [Lab] Exploiting a security hypervisor bug
• Trends and the future

Who Should Attend? | Target Audience:

• Security researchers interested in virtualization
• Penetration testers with a focus on low-level security
• Red teamers
• Platform and system developers
• Kernel developers and researchers

What to Bring? | Software and Hardware Requirements:

Laptop

• Modern 64-bit CPU with hardware virtualization support
• Intel Architecture preferred but AMD can be accommodated
• Minimum 16GB RAM
• At least 50GB space
• At least one free USB-A port

What to Bring? | Prerequisite Knowledge and Skills:

• Understanding of C and memory semantics
• Knowledge of basic memory corruption exploitation (ROP)
• Familiarity with command line and python scripting
• Some familiarity with reading x86_64 and/or ARM assembly
• Some experience with reverse engineering tools like Ghidra (or Binary Ninja)

Resources Provided at the Training | Deliverables:

• A USB containing training material
• Slides and lab information
• Software installers
• Ubuntu Virtual Machine image
• Scripts and a self-hosted wiki for background information and reference

ABOUT THE TRAINERS

zi started off as a game developer building anti-cheat and bot detection systems before moving into security consulting. After seven years of breaking into everything from mobile operating systems to cloud services at Security Innovation, worked as an independent researcher and then co-founded Dayzerosec, diving into Android kernel research before shifting focus to hypervisors. Along the way, they’ve taken on fun side quests, like reviving a long-dead PlayStation 2 game-server by reverse-engineering its client and hacking his university's audience polling system to spoof attendance.

Specter is a security researcher and co-founder of Dayzerosec who specializes in kernel exploitation and virtualization, with a focus on Android mobile research and Linux. He also has been working on console research on the side for six years, and has recently been focusing on the PlayStation 5 hypervisor, and has presented such research at previous Hardwear.IO conferences.