TUM Logo

Fuzz Testing Virtualized Environments

Fuzz Testing Virtualized Environments

Supervisor(s): Felix Wruck, Sascha Wessel
Status: finished
Topic: Others
Author: Florian Freund
Submission: 2021-03-15
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


System virtualization is used in more and more areas. This starts in
server environments and goes down to embedded systems. The security of
the hypervisor is a crucial aspect in such systems. The hypervisor is
commonly used as a security boundary between isolated execution
environments and enforces security policies by controlling data flows
including network traffic. Vulnerabilities in the hypervisor could allow
an attacker to escape the isolated environment and gain full control of
the system. Therefore, bugs in the implementation are being intensively
searched for in order to close them. One technique for this is fuzzing
the exposed interfaces.

There has been great progress in the research on fuzzing the hypercall
interface that is used by kernels running in such isolated environments,
but usually a hypervisor-based system does not only provide basic
virtual machine functionally but other services as well. By manipulating
these services with malicious data, an attacker could escape from an
isolated environment too.

In this thesis, we have analyzed the interfaces of a virtualized system
used in a commercial product. We analyzed the suitability of fuzzers for
this low-level operating system. We evaluated three different fuzzers
utilizing two different methods of dynamic program analysis:
Mutation-based fuzzing and generation-based fuzzing. The fuzzers are
evaluated on two protocols used in our virualized environment: The JSON
based QEMU machine RPC protocol and the VNC remote display protocol.

The results of our evaluation show that AFL++ finds more bugs and can be
applied with less effort than libFuzzer while BooFuzz does not find
unexpected bugs but primarily finds bugs that the developer already has
in mind.