Nested virtualization is becoming increasingly popular, with major cloud vendors now offering support for this technology. It allows users to run virtual machines (VMs) within other VMs, opening up new possibilities for cloud-based virtualization. However, this increased flexibility comes with a significant downside: it greatly complicates the host hypervisor and introduces a new attack surface in cloud platforms.
The complexity of nested virtualization has made it a challenging area for security researchers. While hypervisor fuzzing, a technique used to uncover vulnerabilities by inputting malformed data, has been explored extensively, no prior studies have specifically targeted nested virtualization. The main obstacle has been the vast state space of VMs, making it difficult to generate effective fuzzing inputs.
Enter NecoFuzz, a groundbreaking fuzzing framework that systematically targets nested virtualization-specific logic in hypervisors. Developed by researchers Reima Ishii, Takaaki Fukai, and Takahiro Shinagawa, NecoFuzz synthesizes executable fuzz-harness VMs with internal states that are on the boundary between valid and invalid. This is guided by an approximate model of hardware-assisted virtualization specifications.
The rationale behind this approach is that vulnerabilities in nested virtualization often stem from the incorrect handling of unexpected VM states. By focusing on this boundary, NecoFuzz significantly improves the coverage of security-critical code across different hypervisors.
The researchers implemented NecoFuzz on Intel VT-x and AMD-V by extending AFL++, a popular fuzzing tool. The results were impressive: NecoFuzz achieved 84.7% and 74.2% code coverage for nested virtualization-specific code on Intel VT-x and AMD-V, respectively. Moreover, it uncovered six previously unknown vulnerabilities across three hypervisors, including two that were assigned Common Vulnerabilities and Exposures (CVEs) identifiers.
This research is a significant step forward in the field of hypervisor security. By specifically targeting nested virtualization, NecoFuzz has demonstrated the potential to uncover vulnerabilities that other fuzzing techniques might miss. As nested virtualization continues to gain traction in the cloud, tools like NecoFuzz will be increasingly important for ensuring the security of these complex systems.
