Description
Hypervisors are used to isolate several mutually distrusting virtual machines from
each other and the host. To facilitate performance, hypervisors are typically written
in memory unsafe languages, such as C, C++, or Assembly, making them prone to
programming mistakes, which may lead to spatial safety (e.g., heap or stack overflows)
and temporal safety (e.g., use-after-free or double-free) vulnerabilities. The hypercall
interface provides a direct way for guests to request privileged services in the hypervisor,
thus, allowing adversaries to exploit vulnerabilities in its implementation to take over
the host and its tenants. Therefore, it is crucial to find and mitigate any hypervisor
implementation bugs that lead to vulnerabilities violating the isolation.
A technique that has been proven effective for finding memory corruption vulnerabilities
is fuzzing. Fuzzers automatically generate inputs based on pre-specified formatting
policies that aim to discover vulnerabilities in selected interfaces of the target software.
On one hand, policies that entail randomly generated inputs benefit from high fuzzing
throughput but low code coverage, which may miss bugs in code with several paths
enabled by constant input values, such as hypercalls. On the other hand, inputs
generated via dynamic analysis and symbolic execution greatly increase coverage but
suffer from reduced throughput due to path explosion in code with several conditional
branches, such as hypercalls. Static analysis can leverage the best of both by retrieving
the data used for input generation before fuzzing the target, which leads to an increased
code coverage while keeping the throughput high. Furthermore, static analysis recovers
the types of hypercall parameters, which allows for a more precise input data generation.
Currently, in the field of hypercall interface fuzzing, not many approaches exist that
incorporate static analysis and those that do are limited to specific interface structures,
such as an integer specifying a subcommand inside the hypercall as the first and a struct
containing the arguments for the subcommand as the second parameter.
In this thesis, we propose Argus, a tool that statically analyzes the hypercall interface
of hypervisors to facilitate fuzzing them. With Argus, we extract the expected types
hypercall parameters can take during the execution and immediate values they get
compared against, up to an unlimited depth inside the code and independent from the
interface structure. Then, using the extracted data, we derive policies for the generation
of fuzzing inputs and use the MangoFuzz seed generator to provide input seeds based
on these policies for HyperFuzz, a state-of-the-art hypervisor fuzzer. By this, we enhance
the code coverage of HyperFuzz while fuzzing the hypercall interface of Xen by about
13.4% while even increasing the throughput by 10.8%.
|
