Abstract
As cloud computing becomes more and more prevalent, there is increased interest in mitigating attacks that target hypervisors from within the virtualized guest environments that they host. We present VDF, a targeted evolutionary fuzzing framework for discovering bugs within the software-based virtual devices implemented as part of a hypervisor. To achieve this, VDF selectively instruments the code of a given virtual device, and performs record and replay of memory-mapped I/O (MMIO) activity specific to the virtual device. We evaluate VDF by performing cloud-based parallel fuzz testing of eighteen virtual devices implemented within the QEMU hypervisor, executing over two billion test cases and revealing over one thousand unique crashes or hangs in one third of the tested devices. Our custom test case minimization algorithm further reduces the erroneous test cases into only 18.57% of the original sizes on average.
This document has been approved for public release: 88ABW-2016-3973.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
QEMU provides the qtest framework to perform arbitrary read/write activity without the guest. We discuss qtest, and its limitations when fuzz testing, in Sect. 3.
- 2.
CONFIG_ADDRESS at 0xCF8 and CONFIG_DATA at 0xCFCÂ [11].
- 3.
VDF still uses a two-byte branch ID, allowing for 65536 unique branches to be instrumented. In practice, this is more than adequate for virtual device testing.
- 4.
If only a minimal amount of recorded activity is required, VDF can capture initialization activity via executing a QEMU qtest test case.
- 5.
US government approval for the engineering and public release of the research shown in this paper required a time frame of approximately one year. The versions of QEMU identified for this study were originally selected at the start of that process.
References
Advanced Linux Sound Architecture (ALSA). http://www.alsa-project.org
Amazon.com, Inc., Form 10-K 2015. http://www.sec.gov/edgar.shtml
CVE-2014-2894: Off-by-one error in the cmd start function in smart self test in IDE core. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894
CVE-2015-3456: Floppy disk controller (FDC) allows guest users to cause denial of service. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
CVE-2015-5279: Heap-based buffer overflow in NE2000 virtual device. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5279
CVE-2015-6855: IDE core does not properly restrict commands. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855
CVE-2016-1981: Reserved. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1981
CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8910
Features/QTest. http://wiki.qemu.org/Features/QTest
Kernel-Based Virtual Machine. http://www.linux-kvm.org/
PCI - OSDev Wiki. http://wiki.osdev.org/PCI
[Qemu-devel] [PATCH 1/2] hw/sd: implement CMD23 (SET_BLOCK_COUNT) for MMC compatibility. https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg00948.html
[Qemu-devel] [PATCH 1/5] Provide support for the CUSE TPM. https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg01792.html
[Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start. https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html
Qubes OS Project. https://www.qubes-os.org/
TrouSerS - The open-source TCG software stack. http://trousers.sourceforge.net
Avgerinos, T., Cha, S.K., Lim, B., Hao, T., Brumley, D.: AEG: automatic exploit generation. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. ACM SIGOPS Operating Syst. Rev. 37(5), 164 (2003)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, Freenix Track, pp. 41–46 (2005)
Berger, S.: libtpms library. https://github.com/stefanberger/libtpms
Böhme, M., Pham, V.T., Roychoudhury, A.: Coverage-based greybox fuzzing as markov chain. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016 (2016)
Böttinger, K., Eckert, C.: Deepfuzz: triggering vulnerabilities deeply hidden in binaries. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2016 (2016)
Bryant, C.: [1/4] tpm: Add TPM NVRAM Implementation (2013). https://patchwork.ozlabs.org/patch/288936/
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th Symposium on Operating Systems Design and Implementation, pp. 209–224. USENIX Association (2008)
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: 2012 IEEE Symposium on Security and Privacy, pp. 380–394. IEEE, May 2012
Chipounov, V., Georgescu, V., Zamfir, C., Candea, G.: Selective symbolic execution. In: Proceedings of Fifth Workshop on Hot Topics in System Dependability, June, Lisbon, Portugal (2009)
Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX Annual Technical Conference, pp. 1–14 (2008)
Cong, K., Xie, F., Lei, L.: Symbolic execution of virtual devices. In: 2013 13th International Conference on Quality Software, pp. 1–10. IEEE, July 2013
Corbet, J., Rubini, A., Kroah-Hartman, G.: Linux Device Drivers, 3rd edn. O’ Reilly Media Inc., Sebastopol (2005)
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable Reverse Engineering for the Greater Good with PANDA. Technical report, Columbia University, MIT Lincoln Laboratory, TR CUCS-023-14 (2014)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Operating Syst. Rev. 36(SI), 211–224 (2002)
Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)
Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing. In: NDSS, February 2017
Rebert, A., Cha, S.K., Avgerinos, T., Foote, J., Warren, D., Grieco, G., Brumley, D.: Optimizing seed selection for fuzzing. In: 23rd USENIX Security Symposium (2014)
Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of NDSS 2016, February 2016
Tang, J., Li, M.: When virtualization encounter AFL. In: Black Hat Europe (2016)
Wu, C., Wang, Z., Jiang, X.: Taming hosted hypervisors with (mostly) deprivileged execution. In: Network and Distributed System Security Symposium (2013)
Zalewski, M.: American Fuzzy Lop Fuzzer. http://lcamtuf.coredump.cx/afl/
Acknowledgment
The authors would like to thank the staff of the Griffiss Institute in Rome, New York for generously allowing the use of their cloud computing resources. This material is based upon research sponsored by the Air Force Research Lab, Rome Research Site under agreement number FA8750-15-C-0190.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Henderson, A., Yin, H., Jin, G., Han, H., Deng, H. (2017). VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)