Skip to content

MSRSSP/hyperfuzzer-seeds

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
bin
bin
 
 
scripts
scripts
 
 
README.md
README.md
 
 

Repository files navigation

About HyperFuzzer

HyperFuzzer is an efficient hybrid fuzzer for Microsoft's Hyper-V hypervisor. HyperFuzzer loads a complete VM state, traces the hypervisor execution using Intel Processor Trace, and continuously mutates the VM state based on code coverage and symbolic execution until it hits a critical bug. HyperFuzzer is deployed inside Microsoft to test daily builds of the Hyper-V hypervisor, and has found 11 critical hypervisor bugs to date (as of 8/2/2021). You can find more technical details of HyperFuzzer in our CCS'21 paper.

Please note that HyperFuzzer is not available outside of Microsoft at the moment. The purpose of this repo is to release the fuzzing seeds which are generic and not specific to Hyper-V to foster future research on hypervisor fuzzing.

Fuzzing Seeds

This repo contains the fuzzing seeds HyperFuzzer used to drive the testing. A fuzzing seed is a complete VM state (register + memory) which triggers VMEXIT on executing its very first instruction and then terminates. HyperFuzzer relies on these fuzzing seeds to cover different functionalities of the hypervisor (e.g., task switch, APIC emulation, etc.), and mutates them with the goal to cause crashes or assertion violations.

Binary Format

Each fuzzing input has a fixed-sized register region followed by a variable-length physical memory region. The data format of the fuzzing input file is as follows:

#pragma pack(1)

typedef struct _VM_STATE {
    REG_FILE RegFile;
    UINT8 PhysicalMemory[0]; // till the end of the file
} VM_STATE;

The data structure of REG_FILE is defined below.

#pragma pack(1)

typedef struct _REG_SEG64 {
    UINT64 Base;
    UINT32 Limit;
    UINT16 Selector;
    UINT16 Attributes;
} REG_SEG64;

typedef struct _REG_TABLE64 {
    UINT64 Base;
    UINT16 Limit;
} REG_TABLE64;

typedef struct _REG_FILE {
    UINT64 Rax;
    UINT64 Rcx;
    UINT64 Rdx;
    UINT64 Rbx;
    UINT64 Rsp;
    UINT64 Rbp;
    UINT64 Rsi;
    UINT64 Rdi;
    UINT64 R8;
    UINT64 R9;
    UINT64 R10;
    UINT64 R11;
    UINT64 R12;
    UINT64 R13;
    UINT64 R14;
    UINT64 R15;
    UINT64 Rip;
    UINT32 Eflags;
    REG_SEG64 Es;
    REG_SEG64 Cs;
    REG_SEG64 Ss;
    REG_SEG64 Ds;
    REG_SEG64 Fs;
    REG_SEG64 Gs;
    REG_SEG64 Tr;
    REG_TABLE64 Idtr;
    REG_TABLE64 Gdtr;
    UINT32 Cr0;
    UINT64 Cr2;
    UINT64 Cr3;
    UINT32 Cr4;
    UINT64 Dr0;
    UINT64 Dr1;
    UINT64 Dr2;
    UINT64 Dr3;
    UINT32 Dr6;
    UINT32 Dr7;
    UINT32 SysenterCs;
    UINT64 SysenterEip;
    UINT64 SysenterEsp;
    UINT32 Efer;
    UINT64 KernelGsBase;
    UINT64 Star;
    UINT64 Lstar;
    UINT64 Cstar;
    UINT32 Sfmask;
} REG_FILE;

Seed Generation

We construct the fuzzing seeds by using a set of Python2 scripts in the scripts/ folder:

  • vmstate.py defines key x86 data structures and various utility functions to help construct VM states.
  • example_taskswitch.py generates VM states to test the hypervisor's emulation of hardware task switch.
  • example_rum.py generates VM states to test the hypervisor's restricted user mode implementation.
  • example_lapic.py generates VM states to test the hypervisor's APIC emulation.
  • example_msr.py generates VM states to test the hypervisor's MSR virtualization.
  • ...

We also place the final binary files generated by those scripts in the bin/ folder.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

9 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages