DevConf.US 2020 is the 3rd annual, free, Red Hat sponsored technology conference for community project and professional contributors to Free and Open Source technologies coming to a web browser near you!
The market for public cloud platforms is valued in the hundreds of billions of dollars. Hypervisors form the backbone of the cloud and are, therefore, security-critical applications which are attractive targets for attackers. Fuzzing is a widely-adopted technique for automated software testing based on randomly-provided inputs. As testament to their success, fuzzers have found thousands of bugs in the Linux kernel. Unfortunately, it is difficult to apply simple fuzzing techniques to the virtualization-layer, as hypervisors expose a massive input space which includes the entirety of the VM's memory. In this talk, I will present my research on making cloud virtual devices amenable to fuzzing. I will explain how we implemented fuzzing for the popular open-source QEMU hypervisor, where it has already led to dozens of bugs reports.