As it is exposed directly to guest code, the x86 emulator is an interesting
target for exploiters: a vulnerability may lead to compromise of the entire
host.
In an attempt to catch vulnerabilities before they make it into production
code, this patchset adds a fuzz tester for the emulator. Instructions
are synthesized and fed into the emulator; a vulnerability will usually
result in an access violation.
I tried to make the emulator test build an run in userspace; this proved too
difficult, so the test is built as part of the kernel. It can still be run
in userspace, via KVM:
qemu -enable-kvm -smp 4 -serial stdio -kernel bzImage \
-append 'console=ttyS0 test_emulator.iterations=1000000000'
...
starting emulator test
emulator fuzz test results
instructions: 1000000000
decoded: 94330032
emulated: 92529152
nofault: 117
failures: 0
emulator test: PASS
...
One billion random instructions failed to find a vulnerability, so either
the emulator is really good, or the test is really bad, or we need a lot more
runtime.
Lucas, how would we go about integrating this into kvm-autotest?
Avi Kivity (3):
KVM: x86 emulator: make prototype of ->write_std() the same as
->write_emulated
KVM: x86 emulator: export main interface
KVM: x86 emulator: fuzz tester
arch/x86/Kbuild | 1 +
arch/x86/include/asm/kvm_emulate.h | 3 +-
arch/x86/kvm/Kconfig | 11 +
arch/x86/kvm/Makefile | 1 +
arch/x86/kvm/emulate.c | 2 +
arch/x86/kvm/test-emulator.c | 533 ++++++++++++++++++++++++++++++++++++
arch/x86/kvm/x86.c | 4 +-
arch/x86/kvm/x86.h | 2 +-
8 files changed, 553 insertions(+), 4 deletions(-)
create mode 100644 arch/x86/kvm/test-emulator.c
--
1.7.5.3
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
