HYPER-CUBE: High-Dimensional Hypervisor Fuzzing

Abstract

Virtual machine monitors (VMMs, also calledhy-pervisors) represent a very critical part of a modern softwarestack: compromising them could allow an attacker to take fullcontrol of the whole cloud infrastructure of any cloud provider.Hence their security is critical for many applications, especiallyin the context of Infrastructure-as-a-Service. In this paper, wepresent the design and implementation of HYPER-CUBE, a novelfuzzer that aims explicitly at testing hypervisors in an efficient,effective, and precise way. Our approach is based on a customoperating system that implements a custom bytecode interpreter.This high-throughput design for long-running, interactive targetsallows us to fuzz a large number of both open source andproprietary hypervisors. In contrast to one-dimensional fuzzerssuch as AFL, HYPER-CUBEcan interact withanynumber ofinterfaces inanyorder. Our evaluation results show that we canfind more bugs (over 2×) and coverage (as much as 2×) thanstate-of-the-art hypervisor fuzzers. In most cases, we were evenable to do so using multiple orders of magnitude less time thancomparable fuzzers. HYPER-CUBEwas also able to rediscover aset of well-known hypervisor vulnerabilities, such as VENOM, inless than five minutes. In total, we found 54 novel bugs, and so farobtained 43 CVEs. Our evaluation results demonstrate that next-generation coverage-guided fuzzers should incorporate a higher-throughput design for long-running targets such as hypervisors.