TUM Logo

Analysis of ACRN Hypervisor Interfaces for Grey-Box Fuzzing

Analysis of ACRN Hypervisor Interfaces for Grey-Box Fuzzing

Supervisor(s): Felix Wruck, Vincent Ahlrichs, Joana Pecholt
Status: finished
Topic: Others
Author: Guilhem Roy
Submission: 2022-10-17
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


Hypervisors are increasingly used in IoT devices as virtualization adds an additional layer of security. Virtualization is used
to run multiple, isolated software stacks concurrently on one device. Hypervisors in IoT are especially useful to isolate critical
infrastructure from other system components. ACRN is a hypervisor designed for embedded systems. It can run multiple VMs and offers
them a wide variety of interfaces to access resources and manage other VMs. Any vulnerability in these interfaces that a VM can exploit
can have far-reaching consequences. It can compromise the hypervisor and all other VMs running on the same machine. For this reason, it
is important to find bugs and vulnerabilities before they can be exploited by malicious agents. An efficient method for this is called
fuzz-testing. It consists in performing a large amount of tests with random or semi-random input at a high frequency to achieve a large
test coverage of the fuzzing target.  Many different fuzzers exist and have proven their effectiveness by finding a wide variety of bugs
in numerous applications.

Applying fuzzing to a hypervisor is not a trivial task due to the diversity of the interfaces and the high statefulness of the target.
Choosing the right fuzzer and environment to efficiently test the target hypervisor requires complex preparation and manual examination
of the interfaces. This initial process adds a large overhead to the testing time and makes fuzzing overall less efficient and scalable.

In this thesis, we propose a general taxonomy to classify the interfaces of a hypervisor and select the appropriate fuzzing setup to test
them. To create this taxonomy, we first analyze the interfaces from ACRN with fuzzing in mind. The taxonomy we derive from this analysis
can be applied to all kinds of hypervisors to find an adequate fuzzing setup. We apply this methodology to implement a fuzzing campaign
on multiple hypervisor interfaces.