HyperMirage: Direct State Manipulation in Hybrid Virtual CPU Fuzzing

Manuel Andreas (Technical University of Munich), Fabian Specht (Technical University of Munich), Marius Momeu (Technical University of Munich)

Hypervisors are crucial for the security and availability of modern cloud infrastructures, yet they must expose a large virtualization interface to guest VMs—an attack surface that adversaries can exploit. Among the most intricate and security-sensitive components of hypervisors is their virtual CPU implementation, typically implemented at the highest privilege level. Although previous fuzzing research made promising steps towards scrutinizing the virtual CPU component of HVs, existing techniques fail at covering it in depth, as its convoluted nature requires laborious manual setup for accessing individual interfaces, all the while employing sub-optimal techniques that lower fuzzing throughput.

We address these shortcomings via HyperMirage, a novel hypervisor fuzzer that automatically and efficiently explores the large space of architectural states emulated by virtual CPU implementations. HyperMirage spares security analysts from manually crafting fuzzing seeds in the form of architecturally valid VM states by employing a novel Direct State Manipulation approach, which directly and automatically mutates the HV's view of a VM's state that is consumed during fuzzing. Additionally, we extend a state-of-the-art compiler-based symbolic execution engine, making it the first one available for bare-metal targets, and integrate it into an efficient coverage-guided HV fuzzer, enabling HyperMirage to drastically improve fuzzing throughput when compared to existing techniques.

We provide a case study of HyperMirage by fuzzing the production-grade Xen and KVM hypervisors on the Intel x86 architecture. Our evaluation shows that HyperMirage is capable of covering 200% more virtual CPU interfaces than prior work and achieves drastically more coverage on the entire virtual CPU space when compared to available HV fuzzers. Moreover, HyperMirage discovered 9 new bugs in Xen and 2 in KVM, all of which have been confirmed by the respective project maintainers.

Paper

Slides

View More Papers

Poster: Challenges in Applying COTS Secure, Resilient Boot and...

Gabriel Torres (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Raymond Govotski (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Samuel Jero (MIT Lincoln Laboratory, Secure Resilient Systems & Technology, Lexington, MA), Gruia-Catalin Roman (University of New Mexico, Department of Computer Science), Joseph “Dan” Trujillo (Air Force Research Laboratory, Space Vehicles Directorate), Richard Skowyra (MIT Lincoln Laboratory, Secure Resilient Systems…

Understanding the Status and Strategies of the Code Signing...

Hanqing Zhao (Tsinghua University & QI-ANXIN Technology Research Institute), Yiming Zhang (Tsinghua University), Lingyun Ying (QI-ANXIN Technology Research Institute), Mingming Zhang (Zhongguancun Laboratory), Baojun Liu (Tsinghua University), Haixin Duan (Tsinghua University), Zi-Quan You (Tsinghua University), Shuhao Zhang (QI-ANXIN Technology Research Institute)

Unveiling BYOVD Threats: Malware's Use and Abuse of Kernel...

Andrea Monzani (University of Milan), Antonio Parata (University of Milan), Andrea Oliveri (EURECOM), Simone Aonzo (EURECOM), Davide Balzarotti (EURECOM), Andrea Lanzi (University of Milan)