HYPER-CUBE: High-Dimensional Hypervisor Fuzzing

Schumilo, Sergej; Aschermann, Cornelius; Abbasi, Ali; Wör­ner, Simon; Holz, Thorsten

doi:10.14722/ndss.2020.23096

Cited by 41 publications

(47 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A higher execution speed means that fuzzing can examine more test cases, which ofers a higher opportunity to ind defects. Therefore, researchers put many eforts to improve the execution speed of fuzzing, including binary analysis [58,134], optimized execution processes [46,133,204,216], and application-speciied techniques [91,162,163,174,195,196,211].…”

Section: Improvement Of Execution Speedmentioning

confidence: 99%

“…FIRM-AFL [211] mitigates the overhead via combining user-mode emulation and full-system emulation, and it mainly runs programs in the user-mode emulation. In order to fuzz VMMs (i.e., hypervisors), Schumilo et al [162,163] design a customized OS and a fast snapshot restoration mechanism to conduct fuzzing eiciently. As to the ile systems, mutating a whole disk image degrades the fuzzing throughput signiicantly because an image is too large.…”

Section: Various Applicationsmentioning

confidence: 99%

See 1 more Smart Citation

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

show abstract

Section: Improvement Of Execution Speedmentioning

confidence: 99%

Section: Various Applicationsmentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Recently, researchers employ newer hardware-based features (e.g. Intel-PT) for low-level hypervisor fuzzing [79,80], kernel failure reverse debugging [36] as well as machine learning approaches [5], to discover vulnerabilities and bugs. Similar ideas are deployed for embedded systems arming application tracing [26], debugging [67,70], unpacking [94] on Arm processors.…”

Section: Related Workmentioning

confidence: 99%

HyperDbg: Reinventing Hardware-Assisted Debugging

Karvandi¹,

Gholamrezaei²,

Monfared³

et al. 2022

Preprint

View full text Add to dashboard Cite

Software analysis, debugging, and reverse engineering have a crucial impact in today’s software industry. Efficient and stealthy debuggers are especially relevant for malware analysis. However, existing debugging platforms fail to address a transparent, effective, and high-performance low-level debugger due to their detectable fingerprints, complexity, and implementation restrictions. In this paper, we present HyperDbg, a new hypervisor-assisted debugger for high-performance and stealthy debugging of user and kernel applications. To accomplish this, HyperDbg relies on state-of-the-art hardware features available in today’s CPUs, such as VT-x and extended page tables. In contrast to other widely used existing debuggers, we design HyperDbg using a custom hypervisor, making it independent of OS functionality or API. We propose hardware-based instruction-level emulation and OS-level API hooking via extended page tables to increase the stealthiness. Our results of the dynamic analysis of 10,853 malware samples show that HyperDbg’s stealthiness allows debugging on average 22% and 26% more samples than WinDbg and x64dbg, respectively. Moreover, in contrast to existing debuggers, HyperDbg is not detected by any of the 13 tested packers and protectors. We improve the performance over other debuggers by deploying a VMX-compatible script engine, eliminating unnecessary context switches. Our experiment on three concrete debugging scenarios shows that compared to WinDbg as the only kernel debugger, HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x, 1319x, and 2018x faster, respectively. We finally show real-world applications, such as a 0-day analysis, structure reconstruction for reverse engineering, software performance analysis, and code-coverage analysis.

show abstract

“…Fuzzers such as syzkaller or kAFL [25,43,53,55,58,63] adapted AFL's fuzzing model to kernel fuzzing. Fuzzers like VDF and Nyx even target hypervisors [24,51,52]. Hypervisor-based fuzzing is also commonly used to fuzz firmware [12,35,50,69] Snapshots were also used previously to speed up fuzzing.…”

Section: Related Workmentioning

confidence: 99%

Nyx-Net: Network Fuzzing with Incremental Snapshots

Schumilo,

Aschermann,

Jemmett

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Coverage-guided fuzz testing ("fuzzing") has become mainstream and we have observed lots of progress in this research area recently. However, it is still challenging to efficiently test network services with existing coverage-guided fuzzing methods. In this paper, we introduce the design and implementation of Nyx-Net, a novel snapshot-based fuzzing approach that can successfully fuzz a wide range of targets spanning servers, clients, games, and even Firefox's Inter-Process Communication (IPC) interface. Compared to state-of-the-art methods, Nyx-Net improves test throughput by up to 300x and coverage found by up to 70%. Additionally, Nyx-Net is able to find crashes in two of ProFuzzBench's targets that no other fuzzer found previously. When using Nyx-Net to play the game Super Mario, Nyx-Net shows speedups of 10-30x compared to existing work. Under some circumstances, Nyx-Net is even able play "faster than light": solving the level takes less wall-clock time than playing the level perfectly even once. Nyx-Net is able to find previously unknown bugs in servers such as Lighttpd, clients such as MySQL client, and even Firefox's IPC mechanism-demonstrating the strength and versatility of the proposed approach. Lastly, our prototype implementation was awarded a $20.000 bug bounty for enabling fuzzing on previously unfuzzable code in Firefox and solving a long-standing problem at Mozilla.

show abstract

HYPER-CUBE: High-Dimensional Hypervisor Fuzzing

Cited by 41 publications

References 23 publications

Fuzzing: A Survey for Roadmap

Fuzzing: A Survey for Roadmap

HyperDbg: Reinventing Hardware-Assisted Debugging

Nyx-Net: Network Fuzzing with Incremental Snapshots

Contact Info

Product

Resources

About