Fuzzing is a recent trend for systematic testing of interfaces by trying more or less random inputs and iterating over them. A subset of fuzzers uses code-coverage as feedback when permuting and choosing inputs, among them the popular user-space fuzzer American Fuzzy Lop. Recently there have been attempts to port fuzzers to the kernel and in a similar manner should now the hypercall interface of Xen be tested.
While this is overall a very comprehensive problem this project will help to develop a better understanding of the problem space and make at least first advances of the source tree into the necessary direction. A generic mechanism will be implemented allowing fuzzers to obtain feedback on code-coverage. In the next step this output will be further processed in order to actually run a particular fuzzer (such as AFL), although there might not be sufficient time to commit this to the source tree.
To sum up, the overall steps to getting a fuzzer running are the following:
- Extracting the execution path from the hypervisor via a hypercall
- Parse the execution path into a format consumable by a user-space fuzzer
- Drive a domU to execute the test cases of the fuzzer