Hyper-Cube: High-Dimensional Hypervisor Fuzzing

Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, Thorsten Holz

Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 2020


Virtual machine monitors (VMMs, also called hypervisors) represent a very critical part of a modern software stack: compromising them could allow an attacker to take full control of the whole cloud infrastructure of any cloud provider. Hence their security is critical for many applications, especially in the context of Infrastructure-as-a-Service. In this paper, we present the design and implementation of HyperCube, a novel fuzzer that aims explicitly at testing hypervisors in an efficient, effective, and precise way. Our approach is based on a custom operating system that implements a custom bytecode interpreter. This high-throughput design for long-running, interactive targets allows us to fuzz a large number of both open source and proprietary hypervisors. In contrast to one-dimensional fuzzers such as afl, HyperCube can interact with any number of interfaces in any order. Our evaluation results show that we can find more bugs (over 2x) and coverage (as much as 2x) than state-of-the-art hypervisor fuzzers. In most cases, we were even able to do so using multiple orders of magnitude less time than comparable fuzzers. HyperCube was also able to rediscover a set of well-known vulnerabilities for hypervisors, such as VENOM, in less than five minutes. In total, we found 54 novel bugs, and so far obtained 42 CVEs. Our evaluation results demonstrates that next generation coverage-guided fuzzers should incorporate a higher-throughput design for long-running targets such as hypervisors.


tags: fuzzing