On 220128 1547, Stefan Hajnoczi wrote: > Dear QEMU, KVM, and rust-vmm communities, > QEMU will apply for Google Summer of Code 2022 > (https://summerofcode.withgoogle.com/) and has been accepted into > Outreachy May-August 2022 (https://www.outreachy.org/). You can now > submit internship project ideas for QEMU, KVM, and rust-vmm! > > If you have experience contributing to QEMU, KVM, or rust-vmm you can > be a mentor. It's a great way to give back and you get to work with > people who are just starting out in open source. > > Please reply to this email by February 21st with your project ideas. > > Good project ideas are suitable for remote work by a competent > programmer who is not yet familiar with the codebase. In > addition, they are: > - Well-defined - the scope is clear > - Self-contained - there are few dependencies > - Uncontroversial - they are acceptable to the community > - Incremental - they produce deliverables along the way > > Feel free to post ideas even if you are unable to mentor the project. > It doesn't hurt to share the idea! Here are two fuzzing-related ideas: Summary: Implement rapid guest-initiated snapshot/restore functionality (for Fuzzing). Description: Many recent fuzzing projects rely on snapshot/restore functionality [1,2,3,4,5]. For example tests/fuzzers that target large targets, such as OS kernels and browsers benefit from full-VM snapshots, where solutions such as manual state-cleanup and fork-servers are insufficient. Many of the existing solutions are based on QEMU, however there is currently no upstream-solution. Furthermore, hypervisors, such as Xen have already incorporated support for snapshot-fuzzing. In this project, you will implement a virtual-device for snapshot fuzzing, following a spec agreed-upon by the community. The device will implement standard fuzzing APIs that allow fuzzing using engines, such as libFuzzer and AFL++. The simple APIs exposed by the device will allow fuzzer developers to build custom harnesses in the VM to request snapshots, memory/device/register restores, request new inputs, and report coverage. [1] https://arxiv.org/pdf/2111.03013.pdf [2] https://blog.mozilla.org/attack-and-defense/2021/01/27/effectively-fuzzing-the-ipc-layer-in-firefox/ [3] https://www.usenix.org/system/files/sec20-song.pdf [4] https://github.com/intel/kernel-fuzzer-for-xen-project [5] https://github.com/quarkslab/rewind Skill level: Intermediate with interest and experience in fuzzing. Language/Skills: C Topic/Skill Areas: Fuzzing, OS/Systems/Drivers Summary: Implement a coverage-guided fuzzer for QEMU images Description: QEMU has a qcow2 fuzzer (see tests/image-fuzzer). However, this fuzzer is not coverage-guided, and is limited to qcow2 images. Furthermore, it does not run on OSS-Fuzz. In some contexts, qemu-img is expected to handle untrusted disk images. As such, it is important to effectively fuzz this code. Your task will be to create a coverage-guided fuzzer for image formats supported by QEMU. Beyond basic image-parsing code, the fuzzer should be able to find bugs in image-conversion code. Combined with a corpus of QEMU images, the fuzzer harness will need less information about image layout. Skill level: Intermediate Language/Skills: C Topic/Skill Areas: Fuzzing, libFuzzer/AFL Thanks -Alex
