Description
Hypervisors have been steadily rising in popularity, especially in the domain of cloud computing, where they play a key role in up keeping the isolation between different clients. To avoid breaches of this isolation, we require reliable techniques for scrutinizing hypervisors. One of the most predominant technique for vulnerability discovery in software is fuzzing, which is proven by the vast number of hypervisor fuzzing tools, proposed by both industry and academia. However, existing solutions focus on fuzzing a hand-picked subset of hypervisor interfaces, which leaves several potential vulnerabilities undiscovered. In this thesis, we decide to take a more holistic approach and attempt to cover all hypervisor interfaces by directly targeting VM-exits. For this, we propose a methodology that automatically derives guest states that trigger the analyzed VM-exits. Furthermore, we build a custom compiler-based lightweight symbolic execution for the target hypervisor, which reports conditional operations imposed on guest state via instrumented hypervisor hooks. We apply constraint solving on the information retrieved at run-time, at bit granularity, which assists the fuzzer in exploring deeper code paths of the hypervisor. We implement a prototype that targets the Intel VMX component of the Xen hypervisor by integrating our compiler-based lightweight symbolic execution into kAFL. Our evaluation shows that our initial VM state generation is sufficient in triggering numerous VM-exits (>50%), while our compiler-assisted instrumentation does not hinder high-throughput fuzzing. Finally, our tests show that our fuzzing setup provides higher coverage compared to existing fuzzers and is able to discover vulnerabilities hidden behind various complex constraints.
|