Fuzzing is a recent trend for systematic testing of interfaces by trying more or less random inputs and iterating over them. A subset of fuzzers uses code-coverage as feedback when permuting and choosing inputs, among them the popular user-space fuzzer American Fuzzy Lop. Recently there have been attempts to port fuzzers to the kernel and in a similar manner should now the hypercall interface of Xen be tested.

While this is overall a very comprehensive problem this project will help to develop a better understanding of the problem space and make at least first advances of the source tree into the necessary direction. A generic mechanism will be implemented allowing fuzzers to obtain feedback on code-coverage. In the next step this output will be further processed in order to actually run a particular fuzzer (such as AFL), although there might not be sufficient time to commit this to the source tree.

To sum up, the overall steps to getting a fuzzer running are the following:

  1. Extracting the execution path from the hypervisor via a hypercall
  2. Parse the execution path into a format consumable by a user-space fuzzer
  3. Drive a domU to execute the test cases of the fuzzer



Felix Schmoll


  • Wei Liu