Description
Hypervisors have been steadily rising in popularity, especially in the domain of cloud computing, where they play a key role in up
keeping the isolation between different clients. To avoid breaches of this isolation, we require reliable techniques for scrutinizing
hypervisors.
One of the most predominant technique for vulnerability discovery in software is fuzzing, which is proven by the vast number of
hypervisor fuzzing tools, proposed by both industry and academia. However, existing solutions focus on fuzzing a hand-picked
subset of hypervisor interfaces, which leaves several potential vulnerabilities undiscovered. In this thesis, we decide to take a more
holistic approach and attempt to cover all hypervisor interfaces by directly targeting VM-exits. For this, we propose a methodology
that automatically derives guest states that trigger the analyzed VM-exits. Furthermore, we build a custom compiler-based lightweight
symbolic execution for the target hypervisor, which reports conditional operations imposed on guest state via instrumented hypervisor
hooks. We apply constraint solving on the information retrieved at run-time, at bit granularity, which assists the fuzzer in exploring
deeper code paths of the hypervisor.
We implement a prototype that targets the Intel VMX component of the Xen hypervisor by integrating our compiler-based lightweight
symbolic execution into kAFL.
Our evaluation shows that our initial VM state generation is sufficient in triggering numerous VM-exits (>50%), while our compiler-assisted
instrumentation does not hinder high-throughput fuzzing. Finally, our tests show that our fuzzing setup provides higher coverage compared
to existing fuzzers and is able to discover vulnerabilities hidden behind various complex constraints.
|
