Fuzzing/reverse engineering virtual machines
https://stackoverflow.com/questions/7455968
-
21-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I'm a beginner/intermediate at reverse engineering and I’m trying to make the leap to expert. I want to do a project on virtual machines specifically escaping them and was wondering if fuzzing could be applied to them. Such as fuzzing the networking and I/O devices inside the VM, then evaluate the results. Would this be a valid way of finding vulnerabilities in VM’s?
Also how would I go about debugging a VM and hypervisor?
I'm hopefully looking for references and good pointers.
Excellent just what I was looking for thanks. Another question would be how to debug things like vbox and qemu, would this be done in the virtual machine or the host, or are there tools provided? That is the only part I'm not sure about.
Solução
You need to read the following paper:
Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, 2007.
That paper describes how Tavis Ormandy fuzz-tested a variety of virtual machines and reports on his results. He found a number of serious security vulnerabilities. Basically, he did everything it sounds like you want to do -- so you should start by reading to see what he did and what you can learn from it.
Outras dicas
Such as fuzzing the networking and I/O devices inside the VM, then evaluate the results. Would this be a valid way of finding vulnerabilities in VM’s?
Sure why not, just find some component with a big domain of inputs and fuzz away. Be sure to attack something that actually requires a physical device such as disk, video, networking etc, because those are guaranteed to be implemented by the VM on the host in some stupid language like C or C++.
There are a bunch of papers/slides from blackhat/defcon conferences on this topic, I can't remember any in particular though, see for yourself.
As an added step to Longpoke and D.W.'s answers, perhaps you'd want to take a look at tools like kemufuzzer. It provides a gdb backend to interact with VMware's builtin debugger, which you can also extend.
This is a relatively less mature field in information security, so you may end up having to implement most of your toolbox - though in most cases you can do with extending already existing tools.
