Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks

Conference:  Defcon 27



The presentation discusses the use of VMI and machine learning in detecting and preventing advanced malware attacks.
  • VMI can be used for detection and policy implementation without putting anything inside the operating system
  • Machine learning can be used to detect anomalies in device profiles and control flow sequences
  • Delay execution is a challenge in detecting advanced malware attacks
  • Constant updating of techniques is necessary to keep up with evolving malware tactics
The speaker explains how machine learning can be used to detect anomalies in device profiles by comparing the reconstructed profile generated by an auto encoder to the actual profile running in the device. If the error level is high, it indicates a malicious process. The speaker also illustrates the challenge of delay execution in detecting advanced malware attacks and the need for constant updating of techniques to keep up with evolving malware tactics.


Historically, hypervisors have existed in the cloud for efficient utilization of resources, space, and money. The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, it does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of hypervisors in their deployments on Cars. The trending is real, but there is a big challenge! Most of the systems in Cars and Medical devices run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices? During this talk we will walk you through the steps needed to setup a framework running on Xilinx ZCU102 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits.