All recent Huawei devices ship with a security hypervisor, a defense-in-depth measure designed to enhance kernel security. Unlike other OEMs, Huawei encrypts this privileged piece of software, hence why it has received little to no public scrutiny. With this blog post, we aim to cast light on its inner-workings and provide an in-depth analysis of its implementation, from its entry point to the functions dedicated to protecting the kernel at runtime.
Impalabs is releasing Hyperpom, a 64-bit ARM binary fuzzer written in Rust and based on the Apple Silicon's hypervisor. It is mutation-based and coverage-guided. This article gives an overview of its internals, presents the different components it consists of and how they relate to each other. Most importantly, it also gathers all the resources you need to get started and begin fuzzing your own 64-bit ARM targets.
After an in-depth analysis of the NPU OS and its interaction with the Android kernel, this second part gives a more offensive outlook on this component. We will go through the main attack vectors to target it and detail two vulnerabilities that can be chained together to get code execution in the NPU from the NPU driver before pivoting back into the kernel.
This series of blog posts aims to describe and explain the internals of a recent addition to Samsung's system-on-chips, namely their Neural Processing Unit. The first part digs into the internals of the NPU and the second one focuses on the exploitation of some vulnerabilities we found in the implementation. If you're interested in reversing a minimal OS, want to understand how Android interacts with peripherals and do exploitation like it's the early 2000's, this series might be for you.
Huawei Secure Monitor Vulnerabilities
Huawei Security Hypervisor Vulnerability
Copyright © Impalabs 2021-2022