This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with. Finally, we take a look at the patches made by Samsung following our report.

After an in-depth analysis of the NPU OS and its interaction with the Android kernel, this second part gives a more offensive outlook on this component. We will go through the main attack vectors to target it and detail two vulnerabilities that can be chained together to get code execution in the NPU from the NPU driver before pivoting back into the kernel.