Fuzzing Virtual Devices in Hypervisors

Abstract

The market for public cloud platforms is valued in the hundreds of billions of dollars. Hypervisors form the backbone of the cloud and are, therefore, security-critical applications which are attractive targets for potential attackers. Past vulnerabilities demonstrate that the implementations of virtual-devices are the most common source of security-bugs in hypervisors. In my talk, I will present our novel approach for fuzzing virtual devices in the popular open-source QEMU hypervisor. Our fuzzer combines a standard coverage-guided strategy with further guidance, based on hypervisor-specific behaviors. Our fuzzer guarantees reproducible input execution and can, optionally, take advantage of existing virtual-device test-cases. Our fuzzer has been upstreamed into QEMU, and has already found over 50 bugs.