Kunal Mehta
@kmgkv1
System software and security engineer working @Intel, passionate for cyber security and platform security. Views expressed are my own, not my employer’s.
24H2 enables HVPT (VT-rp / HLAT) to prevent remapping attacks. You can check if it is enabled with msinfo32, systeminfo, or @aall86 's sktool v1.2+. Here is also sample code for that to save your time with reversing. gist.github.com/tandasat/890d4…
"Bypassing the HVCI memory protection" at #HEXACON2023 discusses remapping attack with an application to code pages. If you wonder what mitigates this, you can check out HLAT (VT-rp) youtube.com/watch?v=WWvd2_…
A new blog post on Intel VT-rp! Part 1 is about how HLAT prevents the remapping attack, taking Windows as an example platform. tandasat.github.io/blog/2023/07/0… Sample hypervisor code: github.com/tandasat/Hello…
The new blog post on supervisor shadow stack restrictions / supervisor shadow-stack control tandasat.github.io/blog/2025/04/0…
Nice to see Intel and MSFT's posts on VT-rp / HVPT. If you are interested in playing with the feature, simple example code is here: github.com/tandasat/Hello…
Intel VT-rp community.intel.com/t5/Blogs/Tech-…
Paged Out! #6 is out! pagedout.institute Totally free, 80 pages, best issue so far! 'nuff said, enjoy! (please RT to help spread out the news!)
I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted. elastic.co/security-labs/… Project: github.com/x86matthew/Win…
I've published the repo for Byepervisor (we love named vulns out here). Contains exploit implementation for two PS5 hypervisor bugs for 2.xx and lower. Slides from the talk + vod should hopefully be published soon. github.com/PS5Dev/Byeperv…
Heap exploitation, glibc internals and nifty tricks. blog.quarkslab.com/heap-exploitat…
Reducing the attack surface in the Azure hypervisor with a Rust VMM and hardware offload: techcommunity.microsoft.com/t5/windows-os-…
V8 Sandbox escape/bypass/violation and VR collection github.com/xv0nfers/V8-sb…
I'm excited about the progress on Virtualization-based Security being ported from Windows to Linux: lpc.events/event/17/contr… Ubuntu-LVBS is here: github.com/heki-linux/lvb…
Write up of the HVCI bypass vuln (CVE-2024-21305) with @aall86 ! tandasat.github.io/blog/2024/01/1…
Intel Labs Contributes Key Technologies to New Intel Core Ultra and Intel Xeon Scalable Processors -Datapath and Register File Technologies in NPU -DLVR -Side-Channel Resistant AES -Quantum Resistance -Redesign of VT-d -AEX-Notify community.intel.com/t5/Blogs/Tech-…
Linux kernel merged the x86 shadow stack support, part of Intel's Control-flow Enforcement Technology (CET): git.kernel.org/pub/scm/linux/…
...Glad to see that my tool is used by PRO like @dwizzzleMSFT ... and glad to see that we can introduce HVPT publicly finally :-)
ayyyyyyyyyy HLAT PTE protection is ALIVE @FuzzySec
ayyyyyyyyyy HLAT PTE protection is ALIVE @FuzzySec
In this post I'll use CVE-2023-3420, an incorrect side effect modelling bug in the JIT compiler that I reported to Chrome, to gain a sandboxed remote code execution in the renderer: github.blog/2023-09-26-get…