Symposium sur la sécurité des technologies de l'information et des communications

Hypervisors are complex software which may require the reimplementation of legacy stacks. On Microsoft Hyper-V virtual machines (generation 1), some devices are emulated in the userland of its root partition. To explore this attack surface, a specifically crafted open source toolchain called Hyntrospect has been developed. It aims at helping find vulnerabilities in a pragmatic way: by taking benefits of existing Hyper-V and Windows capabilities and tools to perform coverage-guided fuzzing on Hyper-V closed-source binaries. That approach was inspired by previous experiences with libFuzzer, a publication by Microsoft on their fuzzing campaign, and other research conducted on the topic. The specificity of that tool is to rely on debugging and as a consequence to run in a real environment. It was also written in the perspective of putting together techniques that could be ported in the future to other Hyper-V root partition’s userland targets.