Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

NecoFuzz: Effective Fuzzing of Nested Virtualization via Fuzz-Harness Virtual Machines

Reima Ishii, Takaaki Fukai, Takahiro Shinagawa

TL;DR

NecoFuzz presents the first framework specifically designed to fuzz nested virtualization by generating complete fuzz-harness VMs guided by hardware specifications, thereby targeting the security-critical boundary between valid and invalid VM states. It combines a VM execution harness, VM state validator, and vCPU configurator to explore diverse, near-boundary configurations on Intel VT-x and AMD-V, achieving significant code coverage gains and uncovering several previously unknown vulnerabilities across KVM, Xen, and VirtualBox. The approach demonstrates hypervisor-independence and practical effectiveness, suggesting a new, scalable direction for hardening cloud infrastructure against nested-virtualization threats. Overall, NecoFuzz provides a practical, hardware-grounded methodology for systematically probing a previously under-explored attack surface with tangible security improvements.

Abstract

Nested virtualization is now widely supported by major cloud vendors, allowing users to leverage virtualization-based technologies in the cloud. However, supporting nested virtualization significantly increases host hypervisor complexity and introduces a new attack surface in cloud platforms. While many prior studies have explored hypervisor fuzzing, none has explicitly addressed nested virtualization due to the challenge of generating effective virtual machine (VM) instances with a vast state space as fuzzing inputs. We present NecoFuzz, the first fuzzing framework that systematically targets nested virtualization-specific logic in hypervisors. NecoFuzz synthesizes executable fuzz-harness VMs with internal states near the boundary between valid and invalid, guided by an approximate model of hardware-assisted virtualization specifications. Since vulnerabilities in nested virtualization often stem from incorrect handling of unexpected VM states, this specification-guided, boundary-oriented generation significantly improves coverage of security-critical code across different hypervisors. We implemented NecoFuzz on Intel VT-x and AMD-V by extending AFL++ to support fuzz-harness VMs. NecoFuzz achieved 84.7% and 74.2% code coverage for nested virtualization-specific code on Intel VT-x and AMD-V, respectively, and uncovered six previously unknown vulnerabilities across three hypervisors, including two assigned CVEs.

NecoFuzz: Effective Fuzzing of Nested Virtualization via Fuzz-Harness Virtual Machines

TL;DR

NecoFuzz presents the first framework specifically designed to fuzz nested virtualization by generating complete fuzz-harness VMs guided by hardware specifications, thereby targeting the security-critical boundary between valid and invalid VM states. It combines a VM execution harness, VM state validator, and vCPU configurator to explore diverse, near-boundary configurations on Intel VT-x and AMD-V, achieving significant code coverage gains and uncovering several previously unknown vulnerabilities across KVM, Xen, and VirtualBox. The approach demonstrates hypervisor-independence and practical effectiveness, suggesting a new, scalable direction for hardening cloud infrastructure against nested-virtualization threats. Overall, NecoFuzz provides a practical, hardware-grounded methodology for systematically probing a previously under-explored attack surface with tangible security improvements.

Abstract

Nested virtualization is now widely supported by major cloud vendors, allowing users to leverage virtualization-based technologies in the cloud. However, supporting nested virtualization significantly increases host hypervisor complexity and introduces a new attack surface in cloud platforms. While many prior studies have explored hypervisor fuzzing, none has explicitly addressed nested virtualization due to the challenge of generating effective virtual machine (VM) instances with a vast state space as fuzzing inputs. We present NecoFuzz, the first fuzzing framework that systematically targets nested virtualization-specific logic in hypervisors. NecoFuzz synthesizes executable fuzz-harness VMs with internal states near the boundary between valid and invalid, guided by an approximate model of hardware-assisted virtualization specifications. Since vulnerabilities in nested virtualization often stem from incorrect handling of unexpected VM states, this specification-guided, boundary-oriented generation significantly improves coverage of security-critical code across different hypervisors. We implemented NecoFuzz on Intel VT-x and AMD-V by extending AFL++ to support fuzz-harness VMs. NecoFuzz achieved 84.7% and 74.2% code coverage for nested virtualization-specific code on Intel VT-x and AMD-V, respectively, and uncovered six previously unknown vulnerabilities across three hypervisors, including two assigned CVEs.

Paper Structure

This paper contains 43 sections, 5 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Hardware-Assisted Virtualization
  4. Nested Virtualization
  5. Design
  6. Threat Model
  7. Overview
  8. VM Execution Harness
  9. VM State Validator
  10. vCPU Configurator
  11. Implementation
  12. Fuzzing Framework
  13. VM Execution Harness
  14. VM Initialization Phase.
  15. VM Execution Phase.
  16. ...and 28 more sections

Figures (5)

  • Figure 1: Nested virtualization. The L0 hypervisor uses hardware-assisted virtualization and emulates it for the L1 hypervisor. L0 uses two VMCSs: VMCS01 for L1 and VMCS02 for L2, while L1 maintains VMCS12 for L2.
  • Figure 2: A design overview of NecoFuzz. The VM generator consists of three components: (1) VM execution harness, (2) VM state validator, and (3) vCPU configurator. The fuzzer supplies fuzzing input to each component.
  • Figure 3: Code coverage transition over 48 hours for nested virtualization-specific code. (a) Intel, (b) AMD. IRIS indicates the maximum coverage at termination. Statistical significance: Intel ($p < 0.05$), AMD ($p < 0.05$).
  • Figure 4: Breakdown of code coverage contribution for each VM generator component in NecoFuzz. (a) Intel, (b) AMD.
  • Figure 5: Distribution of VM states. The violin plot shows the Hamming distance distribution, with the mean and standard deviation indicated.