Abstract

A security tale as old as time: if we added one more layer of mitigation, the OS would finally be safe from exploit attempts. Like other concepts before, hypervisors have been heralded as the key to kernel integrity protection. As we know from past research, various vendor implementations have come up short under scrutiny, however. Nonetheless, Huawei introduced a Hypervisor layer in their Kirin chipsets in order to make kernel security stronger as well. As Tobias Fünke would say: though it didn't work for those people, it might just work for them! Our curiosity led us to put that to the test and see if we can blow past Huawei's HKIP implementation and the custom Hypervisor architecture underpinning it.

This talk will discuss the details of this Hypervisor, introducing the relevant details of the ARM architecture's Hypervisor support and Huawei's implementation of the concept, focusing on the mitigations it is meant to add against Linux kernel exploitation. We will explain how we went beyond manual reverse engineering and built an emulator for the Hypervisor firmware, which allowed us to learn its inner workings better, as well as build an efficient fuzzing harness for it. Finally, we'll discuss the vulnerability we have found and exploited in order to bypass its security guarantees.