[qemu-web PATCH] Add device fuzzing blog post

* [qemu-web PATCH] Add device fuzzing blog post
@ 2019-11-07  9:11 Stefan Hajnoczi
  2019-11-07  9:41 ` Thomas Huth
  0 siblings, 1 reply; 5+ messages in thread
From: Stefan Hajnoczi @ 2019-11-07  9:11 UTC (permalink / raw)
  To: qemu-devel
  Cc: Thomas Huth, megele, Alexander Oleinik, bsd, Stefan Hajnoczi,
	Paolo Bonzini

This blog post covers the device fuzzing GSoC project that Alexander
Olenik did in 2019.

Cc: Alexander Oleinik <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 _posts/2019-11-07-device-fuzzing.md |  73 ++++++++++++++++++++++++++++
 screenshots/fuzzing-intro.png       | Bin 0 -> 66276 bytes
 screenshots/fuzzing.png             | Bin 0 -> 100281 bytes
 3 files changed, 73 insertions(+)
 create mode 100644 _posts/2019-11-07-device-fuzzing.md
 create mode 100644 screenshots/fuzzing-intro.png
 create mode 100644 screenshots/fuzzing.png

diff --git a/_posts/2019-11-07-device-fuzzing.md b/_posts/2019-11-07-device-fuzzing.md
new file mode 100644
index 0000000..2881068
--- /dev/null
+++ b/_posts/2019-11-07-device-fuzzing.md
@@ -0,0 +1,73 @@
+---
+layout: post
+title:  "Fuzzing QEMU Device Emulation"
+date:   2019-11-07 07:50:00 +0200
+categories: [fuzzing, gsoc, internships]
+---
+QEMU (https://www.qemu.org/) emulates a large number of network cards, disk
+controllers, and other devices needed to simulate a virtual computer system,
+called the "guest".
+
+The guest is untrusted and QEMU may even be used to run malicious
+software, so it is important that bugs in emulated devices do not
+allow the guest to compromise QEMU and escape the confines of the
+guest. For this reason a Google Summer of Code project was undertaken
+to develop fuzz tests for emulated devices.
+
+![QEMU device emulation attack surface](/screenshots/fuzzing-intro.png)
+
+Fuzzing is a testing technique that feeds random inputs to a program
+in order to trigger bugs. Random inputs can be generated quickly
+without relying on human guidance and this makes fuzzing an automated
+testing approach.
+
+## Device Fuzzing
+Emulated devices are exposed to the guest through a set of registers
+and also through data structures located in guest RAM that are
+accessed by the device in a process known as Direct Memory Access
+(DMA). Fuzzing emulated devices involves mapping random inputs to the
+device registers and DMA memory structures in order to explore code
+paths in QEMU's device emulation code.
+
+![Device fuzzing overview](/screenshots/fuzzing.png)
+
+Fuzz testing discovered an assertion failure in the virtio-net network
+card emulation code in QEMU that can be triggered by a guest. Fixing
+such bugs is usually easy once fuzz testing has generated a reproducer.
+
+Modern fuzz testing intelligently selects random inputs such that new
+code paths are explored and previously-tested code paths are not
+tested repeatedly. This is called coverage-guided fuzzing and
+involves an instrumented program executable so the fuzzer can detect
+the code paths that are taken for a given input. This was
+surprisingly effective at automatically exploring the input space of
+emulated devices in QEMU without requiring the fuzz test author to
+provide detailed knowledge of device internals.
+
+## How Fuzzing was Integrated into QEMU
+Device fuzzing in QEMU is driven by the open source libfuzzer library
+(https://llvm.org/docs/LibFuzzer.html). A special build of QEMU
+includes device emulation fuzz tests and launches without running a
+normal guest. Instead the fuzz test directly programs device
+registers and stores random data into DMA memory structures.
+
+The next step for the QEMU project will be to integrate fuzzing into
+Google's OSS-Fuzz (https://google.github.io/oss-fuzz/) continuous
+fuzzing service. This will ensure that fuzz tests are automatically
+run after new code is merged into QEMU and bugs are reported to the
+community.
+
+## Conclusion
+Fuzzing emulated devices has already revealed bugs in QEMU that would
+have been time-consuming to find through manual testing approaches.
+So far only a limited number of devices have been fuzz-tested and we
+hope to increase this number now that the foundations have been laid.
+The goal is to integrate these fuzz tests into OSS-Fuzz so that fuzz
+testing happens continuously.
+
+This project would not have been possible without Google's generous
+funding of Google Summer of Code. Alexander Oleinik developed the
+fuzzing code and was mentored by Bandan Das, Paolo Bonzini, and Stefan
+Hajnoczi.
+
+This article was contributed by Stefan Hajnoczi and Alexander Oleinik.
diff --git a/screenshots/fuzzing-intro.png b/screenshots/fuzzing-intro.png
new file mode 100644
index 0000000..e130027
Binary files /dev/null and b/screenshots/fuzzing-intro.png differ
diff --git a/screenshots/fuzzing.png b/screenshots/fuzzing.png
new file mode 100644
index 0000000..2f15ecb
Binary files /dev/null and b/screenshots/fuzzing.png differ
-- 
2.23.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread