From KVM to Mobile Security Platforms - Attacking Hypervisors

4800€ | 6th to the 9th of October 2025

This training will equip students with an understanding of modern virtualization architecture and attack surfaces with a focus on KVM, while also looking at Samsung Knox's Real-time Kernel Protection (RKP), Huawei's Hypervisor Execution Environment (HHEE). Through structured labs, students will build the intuition to be able to effectively find and exploit design flaws and memory corruption issues within hypervisors, and attack hypervisor-enforced security mechanisms.


Objectives of the training

Exploit complex yet realistic scenarios

Bypass common security mechanisms such as MFA or PIM

Compromise CI/CD infrastructures based on Azure DevOps

Stay under the radar by analyzing event logging

Field experience from 2 red team operators

The trainer

Who will run this training?

zi


zi started off as a game developer building anti-cheat and bot detection systems before moving into security consulting. After seven years of breaking into everything from mobile operating systems to cloud services at Security Innovation, worked as an independent researcher and then co-founded Dayzerosec, diving into Android kernel research before shifting focus to hypervisors. Along the way, they've taken on fun side quests, like reviving a long-dead PlayStation 2 game-server by reverse-engineering its client and hacking his university's audience polling system to spoof attendance.

Specter


Specter is a security researcher and co-founder of Dayzerosec who specializes in kernel exploitation and virtualization, with a focus on Android mobile research and Linux. He also has been working on console research on the side for six years, and has recently been focusing on the PlayStation 5 hypervisor, and has presented such research.

Syllabus

What will we do?

We’ll start by covering the fundamentals of how hardware-assisted virtualization works and the overall structure of common hypervisors, using Linux KVM as a real-world target to learn from.

  • Fundamentals of hardware-based virtualization
  • Structure and design of hypervisors
  • Auditing source code
  • Architectural differences (VMX, SVM, VHE)
  • Understanding architectural level operations in KVM
  • Model-specific registers (MSRs)

From there, we’ll look at the security model and consequences of vulnerabilities in the hypervisor.

  • Unique considerations and challenges
  • Primitives and attack strategies
  • Extended paging and in-depth memory virtualization
  • Devices and Memory-Mapped I/O (MMIO)
  • Attacking hypervisors using auxiliary devices

The final two days of the training we dive into security-focused hypervisors with a particular emphasis on mobile security platforms.

  • Survey of hypervisor-enforced security
  • Unique considerations and distinct security features
  • Reverse Engineering closed-source hypervisors
  • Mobile Security Hypervisors
  • Samsung’s Real Time Kernel Protection (RKP)
  • Huawei Hypervisor Execution Environment (HHEE)
  • Gaming console security
  • Trends and the future

Students can expect to take part in multiple hands-on labs each day, utilizing a split of theory followed by practical exercises. Labs will include setting up debugging environments, reverse engineering of a mobile hypervisor, and writing a small operating system as an attack platform. We will also analyze, root cause, and exploit real-world N-day vulnerabilities on different hypervisors.

Prerequisites

  • Understanding of C and memory semantics
  • Knowledge of basic memory corruption exploitation (ROP)
  • Familiarity with command line and python scripting
  • Some familiarity with reading x86_64 and/or ARM assembly
  • Some experience with reverse engineering tools like Ghidra (or Binary Ninja)

HARDWARE REQUIREMENTS

  • Modern 64-bit CPU with hardware virtualization support
  • Intel Architecture preferred but AMD can be accommodated
  • Minimum 16GB RAM
  • At least 50GB space
  • At least one free USB-A port

SOFTWARE REQUIREMENTS

  • VMware Workstation Pro 17
  • Ghidra (or Binary Ninja)
  • Python 3.10+

WHO SHOULD ATTEND

  • Security researchers interested in virtualization
  • Penetration testers with a focus on low-level security
  • Red teamers
  • Platform and system developers
  • Kernel developers and researchers

Other trainings

What else might interest you?

Read more

Hypervisor development for security analysis

Satoshi Tanda

Read more

AI Agents for Cybersecurity

Richard Johnson

Read more

Azure intrusion for red teamers

Paul Barbé & Matthieu Barjole

Read more

Exploiting the Linux Kernel

Andrey Konovalov

Read more

iOS for Security Engineers

Quentin Meffre & Etienne Helluy-Lafont

Read more

Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing

Silvio La Porta & Antonio Villani

Read more

Practical Baseband Exploitation

Pedro Ribeiro & Nitay Artenstein

Read more

Software Deobfuscation Techniques

Tim Blazytko

contact@hexacon.fr

Discord

@hexacon_fr

About

The Hexacon team

The committee

Code of conduct

Archives

2022

2023

2024