Sören Bleikertz
26 Dec 2010

Fuzzing the Xen Hypervisor

Since playing with Xen’s stub domains is fun, I dug out an old project that also uses these stub domains: a fuzzer for Xen hypercalls.

Hypercalls are similar to system calls in common operating systems, and they allow a VM to issue some privilege operation using the hypervisor. Fuzzing system calls is quite a popular sport, so it is interesting how this performs for hypervisors.

I published a Proof of Concept Fuzzer, which is not very sophisticated, however it shows how one can build a stub domain that fuzzes the different hypercalls. The hypercalls are divided in five groups, based on the number of arguments they expect. For each argument, we randomly select a value from one of these categories:

Some hypercalls are currently disabled, because they interrupt the fuzzing process. Further investigations are needed there.

Have fun extending the fuzzer and potentially find some interesting bugs.