This is a follow-up to the Samsung RKP Compendium blog post which provided a comprehensive reference of the security hypervisor's inner workings. In this blog post, we will detail how we attacked Samsung RKP. We will reveal 3 vulnerabilities that we have used to compromise the hypervisor and its assurances. We will also explain how we came up with the exploitation paths for these vulnerabilities. Finally, we will take a look at the patches released by Samsung after we reported them.
After an in-depth analysis of the NPU OS and its interaction with the Android kernel, this second part gives a more offensive outlook on this component. We will go through the main attack vectors to target it and detail two vulnerabilities that can be chained together to get code execution in the NPU from the NPU driver before pivotting back into the kernel.
This series of blogposts aims to describe and explain the internals of a recent addition to Samsung's system-on-chips, namely their Neural Processing Unit. The first part digs into the internals of the NPU and the second one focuses on the exploitation of some vulnerabilities we found in the implementation. If you're interested in reversing a minimal OS, want to understand how Android interacts with peripherals and do exploitation like it's the early 2000's, this series might be for you.
The goal of this blog post is to serve as a comprehensive reference of Samsung RKP's inner workings. It enables anyone to start poking at this obscure code that is executing at a high privilege level on their device. We will also reveal a now-fixed vulnerability that allows getting code execution at EL2 in Samsung RKP. It is a good example of a simple mistake that compromises platform security as the exploit consists of a single call that allows getting hypervisor memory writable at EL1.
Copyright © Impalabs 2021