Top

Published in:

2017 | OriginalPaper | Chapter

VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices

Authors : Andrew Henderson, Heng Yin, Guang Jin, Hao Han, Hongmei Deng

Published in: Research in Attacks, Intrusions, and Defenses

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

As cloud computing becomes more and more prevalent, there is increased interest in mitigating attacks that target hypervisors from within the virtualized guest environments that they host. We present VDF, a targeted evolutionary fuzzing framework for discovering bugs within the software-based virtual devices implemented as part of a hypervisor. To achieve this, VDF selectively instruments the code of a given virtual device, and performs record and replay of memory-mapped I/O (MMIO) activity specific to the virtual device. We evaluate VDF by performing cloud-based parallel fuzz testing of eighteen virtual devices implemented within the QEMU hypervisor, executing over two billion test cases and revealing over one thousand unique crashes or hangs in one third of the tested devices. Our custom test case minimization algorithm further reduces the erroneous test cases into only 18.57% of the original sizes on average.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter Static Program Analysis as a Fuzzing Aid

Available only for authorised users

QEMU provides the qtest framework to perform arbitrary read/write activity without the guest. We discuss qtest, and its limitations when fuzz testing, in Sect. 3.

CONFIG_ADDRESS at 0xCF8 and CONFIG_DATA at 0xCFC [11].

VDF still uses a two-byte branch ID, allowing for 65536 unique branches to be instrumented. In practice, this is more than adequate for virtual device testing.

If only a minimal amount of recorded activity is required, VDF can capture initialization activity via executing a QEMU qtest test case.

US government approval for the engineering and public release of the research shown in this paper required a time frame of approximately one year. The versions of QEMU identified for this study were originally selected at the start of that process.

Advanced Linux Sound Architecture (ALSA). http://www.alsa-project.org

Amazon.com, Inc., Form 10-K 2015. http://www.sec.gov/edgar.shtml

CVE-2014-2894: Off-by-one error in the cmd start function in smart self test in IDE core. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894

CVE-2015-3456: Floppy disk controller (FDC) allows guest users to cause denial of service. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456

CVE-2015-5279: Heap-based buffer overflow in NE2000 virtual device. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5279

CVE-2015-6855: IDE core does not properly restrict commands. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855

CVE-2016-1981: Reserved. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1981

CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8910

Features/QTest. http://wiki.qemu.org/Features/QTest

10.

Kernel-Based Virtual Machine. http://www.linux-kvm.org/

11.

PCI - OSDev Wiki. http://wiki.osdev.org/PCI

12.

[Qemu-devel] [PATCH 1/2] hw/sd: implement CMD23 (SET_BLOCK_COUNT) for MMC compatibility. https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg00948.html

13.

[Qemu-devel] [PATCH 1/5] Provide support for the CUSE TPM. https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg01792.html

14.

[Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start. https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html

15.

Qubes OS Project. https://www.qubes-os.org/

16.

TrouSerS - The open-source TCG software stack. http://trousers.sourceforge.net

17.

Avgerinos, T., Cha, S.K., Lim, B., Hao, T., Brumley, D.: AEG: automatic exploit generation. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2011)

18.

Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. ACM SIGOPS Operating Syst. Rev. 37(5), 164 (2003)CrossRef

19.

Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, Freenix Track, pp. 41–46 (2005)

20.

Berger, S.: libtpms library. https://github.com/stefanberger/libtpms

21.

Böhme, M., Pham, V.T., Roychoudhury, A.: Coverage-based greybox fuzzing as markov chain. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016 (2016)

22.

Böttinger, K., Eckert, C.: Deepfuzz: triggering vulnerabilities deeply hidden in binaries. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2016 (2016)

23.

Bryant, C.: [1/4] tpm: Add TPM NVRAM Implementation (2013). https://patchwork.ozlabs.org/patch/288936/

24.

Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th Symposium on Operating Systems Design and Implementation, pp. 209–224. USENIX Association (2008)

25.

Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: 2012 IEEE Symposium on Security and Privacy, pp. 380–394. IEEE, May 2012

26.

Chipounov, V., Georgescu, V., Zamfir, C., Candea, G.: Selective symbolic execution. In: Proceedings of Fifth Workshop on Hot Topics in System Dependability, June, Lisbon, Portugal (2009)

27.

Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX Annual Technical Conference, pp. 1–14 (2008)

28.

Cong, K., Xie, F., Lei, L.: Symbolic execution of virtual devices. In: 2013 13th International Conference on Quality Software, pp. 1–10. IEEE, July 2013

29.

Corbet, J., Rubini, A., Kroah-Hartman, G.: Linux Device Drivers, 3rd edn. O’ Reilly Media Inc., Sebastopol (2005)MATH

30.

Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable Reverse Engineering for the Greater Good with PANDA. Technical report, Columbia University, MIT Lincoln Laboratory, TR CUCS-023-14 (2014)

31.

Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: enabling intrusion analysis through virtual-machine logging and replay. ACM SIGOPS Operating Syst. Rev. 36(SI), 211–224 (2002)CrossRef

32.

Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)CrossRef

33.

Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing. In: NDSS, February 2017

34.

Rebert, A., Cha, S.K., Avgerinos, T., Foote, J., Warren, D., Grieco, G., Brumley, D.: Optimizing seed selection for fuzzing. In: 23rd USENIX Security Symposium (2014)

35.

Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of NDSS 2016, February 2016

36.

Tang, J., Li, M.: When virtualization encounter AFL. In: Black Hat Europe (2016)

37.

Wu, C., Wang, Z., Jiang, X.: Taming hosted hypervisors with (mostly) deprivileged execution. In: Network and Distributed System Security Symposium (2013)

38.

Zalewski, M.: American Fuzzy Lop Fuzzer. http://lcamtuf.coredump.cx/afl/

Title: VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices
Authors: Andrew Henderson
Heng Yin
Guang Jin
Hao Han
Hongmei Deng
Publisher: Springer International Publishing
Book: Research in Attacks, Intrusions, and Defenses
Print ISBN: 978-3-319-66331-9

Electronic ISBN: 978-3-319-66332-6

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-66332-6_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner