Aristeidis Thallas

Emulating Hypervisors; a Samsung RKP case study


Besides their common usage for system virtualization, hypervisors have been adopted in the Android ecosystem as a kernel protection against runtime attacks. Each OEM/vendor is free to implement their own hypervisors by employing the ARM virtualization extensions. Due to the lack of proper debugging and system inspection support in the Android ecosystem in general such implementations have been extremely difficult to audit/reverse/debug. This situation has been further aggravated by OEMs/vendors failing to provide documentation, source code, tools, etc. publicly.

This presentation focuses on emulation of proprietary hypervisors under QEMU which provides users full control over the emulated system, including debugging. In detail, we will be providing information on ARM system development and virtualization extensions, showcasing the concepts introduced with a framework developed containing essential functionality to bootstrap and allow interaction with Samsung S8 proprietary hypervisor. We will then expand on this knowledge to incorporate fuzzing capabilities under this setup.

By the end of this presentation audience/readers are expected to have an understanding of ARM virtualization extensions and various system requirements/constrains required to audit/reverse other hypervisors and extend the provided minimal framework or implement their own tailored to the needs of the under examination hypervisors.


Aristeidis (Aris) Thallas is a computer security researcher at CENSUS S.A. His interests include vulnerability research, reverse engineering, source code auditing, and exploit development. In the past he used to build robots.