This course is applicable for those who want to gain a working understanding of Hypervisors to the point of being comfortable navigating their source code, reverse engineering them for vulnerability research or feature identification, or to start their own hypervisor development project.
We not only walkthrough the designs of hypervisors at a high-level (mapping out their capabilities including supporting code that leverages hypervisors such as VMBUS and other backdoor or guest<->host communication methods), we also dive into low-level implementation details through direct methods such as reverse engineering, and through emulation and hypervisor based dynamic analysis where we leverage both hypervisor debugging capabilities and custom modifications to emulators such as Bochs or Qemu.
This course is the first in its series and assumes no prior hypervisor knowledge. The hypervisors we analyze will be x86-64 based and cover both Type 1 & 2 hypervisors, though many of the design concepts also apply to other architectures.
Upon course completion, students will have practical experience debugging and analyzing modern hypervisors such as Hyper-V and KVM, both statically and dynamically.
Students will also have a working understanding of various components that form hypervisors today, including various guest-to-host communication mechanisms such as VMBUS and existing code in KVM, Hyper-V and VMware that leverage these communication mechanisms to provide performance benefits or extra capabilities to “enlightened” guests.
Students will also have developed their own custom OS in Rust to leverage in our capstone project of fuzzing and rediscovering a hypervisor N-day, this builds upon our hypervisor knowledge to successfully interact with the various vulnerable components in the target hypervisor and trigger the bug.
Overall, this course serves as a strong and practical foundation of Hypervisor knowledge and hands-on experience to leverage in any field working with hypervisors.
Walkthrough not only the high-level designs of hypervisors but also the low-level logic and hardware primitives that drive them, utilizing our own custom code for dynamic analysis, including creating a custom OS from scratch in Rust and triggering a hypervisor N-day.
Christopher Vella has extensive experience with hypervisors, both with custom hypervisor development and vulnerability research, including discovering multiple critical 0-days against Hyper-V while on Microsoft’s MORSE team.
Christopher also has advanced knowledge of Windows internals, kernel development, reverse engineering and emulator development, having contributed to bug fixes in virtualization emulation code for Bochs and developing hypervisors for stealth full-system debugging.