Hypervisor Development for Security Analysis
Satoshi Tanda


31st Jan - 3rd February 2022






This course provides students the skills and knowledge to develop their thin hypervisors as UEFI modules using Intel VT-x. This is a hands-on heavy class and will spend about half of the time with excesses.


This class is geared towards software developers, security researchers and others with an interest in expanding knowledge of Intel VT-x, the x86_64 system architecture, and/or UEFI.


    • Strong experience in C (or C++) programming.
    • Familiarity with the x86_64 architecture, such as privilege levels, CR3, page fault, present bit, large pages, and how a processor indexes the four levels of page tables from a virtual address.
    • System programming experience, such as kernel-module development, is a plus but not a requirement.

Learning Objectives

At the end of the class, students will gain enough knowledge and skills to start developing their thin UEFI-based hypervisors. Knowledge-wise, this includes but not limited to the understanding of:

    • Key concepts of VT-x and programming interfaces
    • Execution environment changes during OS boot and their influence on the hypervisor design
    • Subtle yet critical technologies such as memory types and caches
    • Application Processors (APs) start up, and emulation by a hypervisor
    • "Owning" control registers and challenges with it
    • General UEFI-module development workflow and tools
    • The pros and cons of UEFI-based vs OS kernel module-based hypervisors


1. UEFI and Hypervisors

    • Lectures: why UEFI for hypervisors, differences from OS kernel drivers, EDK2, introduction to high-level design options
    • Lab: setting up the lab environment
    • Lab: debugging firmware modules and logging output

2. Basics of VT-x

    • Lectures: processor modes, VMCS, "host" vs "guest", VM-exit and VM-entry
    • Lab: configuring host and guest
    • Lab: starting host and guest, monitoring system activities

3. OS Boot

    • Lectures: system boot phases, boot time vs runtime, physical vs virtual mode, and runtime drivers for monitoring OS activities
    • Lab: controlling VM-exits with MSR bitmaps
    • Lab: building host page tables, IDT and GDT
    • Lab: tracing guest page faults with exception interception and event injection


4. Extended Page Tables (EPT)

    • Lectures: address translation, EPT setup and activation, EPT induced VM-exits, memory types, caches, VPID, and VT-d (DMA remapping)
    • Lab: reviewing address translation mechanisms with and without EPT
    • Lab: enabling EPT and tracing guest execution
    • Lab: emulating memory types

5. Multi-processors Support

    • Lectures: multi-processor protocol, processor activity state, application processors startup, unrestricted guest and Hypervisor Top Level Functional Specification (TLFS)
    • Lab: virtualizing all processors
    • Lab: emulating INIT-SIPI-SIPI
    • Lab: starting application processors

6. Control Register Shadowing

    • Lectures: control register guest/host mask, read shadow, effects, and emulation of control register changes
    • Lab: "owning" control registers
    • Lab: booting Ubuntu by properly emulating MOV-to-CRx

Contents may change in a way that does not impact the learning objectives.


Hypervisors are becoming more important in cloud computing and security. There is also an increasing interest in using hypervisors in the area of security engineering and analysis. How can hypervisors help protect against tampering of the guest OS or other software? How can it be used in malware analysis?

This course provides students the skills and knowledge to develop their hypervisors using Intel VT-x. Sample code is built from scratch and optimized for learning. This allows students to better understand the building blocks and expand the knowledge acquired in the course by themselves. Topics include UEFI firmware programming, VT-x/EPT configuration, debugging tools and tricks for both VMs and bare-metals, and more.

This is a hands-on-oriented class. The students can learn and retain concepts and skills the best by working with those by themselves and not by being taught; hence gaining the greatest value. With this philosophy, the class is designed for lab activities as the primary learning opportunities, and lectures explain backgrounds for the lab activities.

At the beginning of the class, students will receive skeleton implementations of hypervisors and incrementally update them through the lab activities with a clear understanding of motivations and design choices.

Additionally, students will receive an enhanced version of the hypervisor at the end of the class. This includes handling of uncommon events like microcode update and NMI, more capabilities such as guest virtual memory access and HyperGuard like guest protection, and hardening of itself using CET, SMEP, SMAP, restrictive read-only page tables, and more. This version can be used as a reference to explore more advanced topics after the course.

Hardware and Software Requirements

The students are expected to have the following hardware and software:

    • The host machine with the Intel processor, SSD, and 8GB+ RAM
    • For Windows users
    • Windows 10 x64 build 19044 (a.k.a. 21H2) without Virtualization-base Security (VBS) enabled
    • Ubuntu 20.04 on WSL version 1
    • VMware Workstation Pro or VMware Workstation Player 16
    • For Linux users
    • Ubuntu 20.04
    • VMware Workstation Pro 16
    • As VMs, Windows 10 x64 build 19044 and Ubuntu 20.04

The newer versions of the operating systems and other software are supported. Another Linux distro may be workable but unsupported. The macOS host or other hypervisors such as KVM, Hyper-V, or VirtualBox cannot be used.

The host system can also be a cloud-provided machine if the host machine cannot be arranged locally. We recommend the student to look into:

    • Scaleway's bare metal server GP-BM1-S for a Linux host, and
    • Amazon's bare metal server m5zn.metal for a Windows host

The students are expected to complete the setup instructions that will be sent by the instructor before the class.


Satoshi Tanda (@standa_t) is a system software engineer and a security researcher with more than a decade of experience. His experience spans over the areas of UEFI- and Windows kernel-module programming and reverse engineering, vulnerability discovery and exploitation, malware analysis, and teaching them to professionals and school students. He open-sourced multiple hypervisors for security researchers, including type-1 and type-2 hypervisors on Intel and AMD processors. He currently works at CrowdStrike.

Satoshi Tanda

Satoshi Tanda

Limited Seats - Remember to reserve your ticket!

register now