A digital house of cards. That’s what security researchers are calling Samsung’s H-Arx hypervisor framework as they uncover its hidden vulnerabilities. The successor to Samsung’s Real-time Kernel Protection (RKP), H-Arx operates at the EL2 privilege level on ARM processors, wielding considerable power over your device. Loaded by Samsung’s bootloader to address 0xc0000000, it’s designed to be an impenetrable fortress. Spoiler alert: it’s not.
H-Arx boasts impressive security features on paper. Real-time kernel protection, Kernel Data Protection for sensitive structures, hardware-level control through Hypervisor Device Manager, secure boot verification, and app isolation through containerization. Sounds bulletproof, right? Yeah, about that…
Fancy features mean nothing when your security fortress is built on quicksand.
CVE-2019-19273 revealed an arbitrary zero-write vulnerability in RKP. Affected devices included Samsung S8 and Note8 models with the Exynos 8895 chipset. But that’s just the tip of the iceberg. Researchers discovered flaws allowing EL2 code execution, issues with page table permission changes, and vulnerabilities in hypervisor memory management. These aren’t just minor bugs – they’re gaping security holes.
Hackers aren’t sitting idle. They’re exploiting these weaknesses through hypervisor calls, manipulating stage 2 page table entries, and targeting hypervisor initialization routines. The result? Compromised kernel integrity, bypassed security features, privilege escalation, and unauthorized hardware access. Your “secure” Samsung device isn’t looking so secure anymore.
Samsung isn’t completely asleep at the wheel. They’re pushing security updates, refactoring the hypervisor design, implementing additional integrity checks, and improving component isolation. These efforts mirror the defense in depth approach recommended by cybersecurity experts for comprehensive protection. Better late than never.
The security community continues to reverse engineer H-Arx, exploring emulation techniques for vulnerability research and investigating hardware-assisted security features. The framework employs a two-stage address translation process where virtualization extensions enable different memory permissions between kernel and hypervisor levels. It’s a cat-and-mouse game between Samsung and security researchers.
The modular design of H-Arx – with its core in C and plugins in Rust – shows Samsung’s attempt at modernizing their approach. But as these vulnerabilities demonstrate, even the most sophisticated security frameworks can crumble under scrutiny. Trust, but verify. Or in this case, maybe just verify.
References
- https://blog.longterm.io/samsung_rkp.html
- https://census-labs.com/news/2020/10/08/samsung-hypervisor-rkp-arbitrary-zero-write/
- https://www.youtube.com/watch?v=gva_mKnULcY&vl=en-US
- https://blog.impalabs.com/2111_attacking-samsung-rkp.html
- https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html
- https://www.youtube.com/watch?v=RI9SwY8VdCY
- https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-part-1.html
- https://insights.samsung.com/2024/09/13/defense-in-depth-how-samsung-knox-defeats-mobile-malware-3/
- https://blog.impalabs.com/2101_samsung-rkp-compendium.html
- https://dayzerosec.com
