Fuzzing Device Emulation in QEMU

Hypervisors—the software that allows a computer to simulate multiple virtual computers—form the backbone of cloud computing. Because they are both ubiquitous and essential, they are security-critical applications that make attractive targets for potential attackers. Past vulnerabilities demonstrate that implementations of virtual devices are the most common site for security bugs in hypervisors. To address this problem, we have developed a novel method for fuzzing virtual devices and implemented it for the popular open source QEMU hypervisor. Our fuzzer combined a standard coverage-guided strategy with further guidance based on hypervisor-specific behaviors. It guarantees reproducible input execution and can, optionally, take advantage of existing virtual device test cases. In our evaluation, we found and reported previously unknown bugs in devices such as serial and virtio-net, ranging from memory corruptions to denial-of-service vulnerabilities. Our evaluation demonstrated that combining well known coverage guidance techniques with domain-specific feedback results in promising fuzzer performance, even for complex targets such as hypervisors.

Additional Info

This project was jointly supported by Red Hat, BU, and the Google Summer of Code 2019. Please visit the Red Hat Research project page for more info.