![Page 1: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/1.jpg)
Fuzzing Virtual Devices in Hypervisors
Alexander Bulekov
1
PhD Student @ BU SeclabIntern @ Red Hat
![Page 2: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/2.jpg)
A
B
C
A B C
D
2
![Page 3: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/3.jpg)
Hardware
OS / Hypervisor
Guest OS
Apps
Guest OS
Apps
Guest OS
Apps
Guest OS
Apps
3
Virtual Devices
![Page 4: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/4.jpg)
Virtual Machines: Targets for Attackers
4
![Page 5: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/5.jpg)
RAM
Port IO MMIO DMA 5
![Page 6: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/6.jpg)
6
![Page 7: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/7.jpg)
RAM ? ?
Port IO MMIO DMA
How can we efficiently provide inputs to such a large IO space?
We leverage the Hypervisor Memory Access API
Enumerate all IO regions directly mapped to virtual devices.
Hook DMA accesses from virtual devices.
7
![Page 8: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/8.jpg)
8
![Page 9: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/9.jpg)
Cov
erag
e
Executions
9
Fuzz Some Device Configurations...
![Page 10: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/10.jpg)
10
Inspect the Fuzzer’s Coverage...
![Page 11: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/11.jpg)
11
Identify Challenges and Adjust the Fuzzer ...
![Page 12: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/12.jpg)
We have already found, reported and fixed bugs in devices such as virtio-net, virtio-scsi,
virtio-blk , char/serial, MegaRAID. More on the way...
12
Most of our work is already upstream!
![Page 13: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/13.jpg)
13
![Page 14: Fuzzing Virtual Devices in Hypervisors · 2020-04-29 · openstack oVirt Boxes Virtualization made simple google ass-fuzz Pull requests 26 Actions Projects 0 Security Code OSS-Fuzz](https://reader033.vdocuments.site/reader033/viewer/2022050602/5fa98e94ef6f71084c3ac0d3/html5/thumbnails/14.jpg)
Thank you to my mentors at Red Hat!
Bandan DasPaolo BonziniStefan Hajnoczi
[email protected] on irc.oftc.net
14