On 08/22/2011 10:41 AM, Avi Kivity wrote:
As it is exposed directly to guest code, the x86 emulator is an interesting
target for exploiters: a vulnerability may lead to compromise of the entire
host.
In an attempt to catch vulnerabilities before they make it into production
code, this patchset adds a fuzz tester for the emulator. Instructions
are synthesized and fed into the emulator; a vulnerability will usually
result in an access violation.
I tried to make the emulator test build an run in userspace; this proved too
difficult, so the test is built as part of the kernel. It can still be run
in userspace, via KVM:
qemu -enable-kvm -smp 4 -serial stdio -kernel bzImage \
-append 'console=ttyS0 test_emulator.iterations=1000000000'
...
starting emulator test
emulator fuzz test results
instructions: 1000000000
decoded: 94330032
emulated: 92529152
nofault: 117
failures: 0
emulator test: PASS
...
One billion random instructions failed to find a vulnerability, so either
the emulator is really good, or the test is really bad, or we need a lot more
runtime.
Lucas, how would we go about integrating this into kvm-autotest?
I'm thinking about it. Some ideas that come to my mind:
1) Create a test that boots a bzImage with the emulator params. This way
we could:
a) Use the bzImage built for the host, on our daily upstream jobs, or
b) We can simply have a step that compiles a kernel tree, provided
that your patch is present there and then pass the bzImage to qemu-kvm.
I'm currently trying out b) manually to get a grasp of how this would work.
Cheers,
Lucas
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
