Testing System Virtual Machines

Similar documents
Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Distributed Systems COMP 212. Lecture 18 Othon Michail

A Survey on Virtualization Technologies

Virtualization. Adam Belay

Virtualization. Pradipta De

Module 1: Virtualization. Types of Interfaces

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

W4118: virtual machines

references Virtualization services Topics Virtualization

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. Pedro Fonseca, Xi Wang, Arvind Krishnamurthy

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

Chapter 5 B. Large and Fast: Exploiting Memory Hierarchy

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Introduction to Virtual Machines. Carl Waldspurger (SB SM 89 PhD 95) VMware R&D

Chapter 5 C. Virtual machines

Mechanisms for entering the system

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtual machines are an interesting extension of the virtual-memory concept: not only do we give processes the illusion that they have all of memory

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

COS 318: Operating Systems

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

CS5460: Operating Systems. Lecture: Virtualization. Anton Burtsev March, 2013

Conqueror: tamper-proof code execution on legacy systems

CS370 Operating Systems

Lecture 5. KVM for ARM. Christoffer Dall and Jason Nieh. 5 November, Operating Systems Practical. OSP Lecture 5, KVM for ARM 1/42

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

KVM CPU MODEL IN SYSCALL EMULATION MODE ALEXANDRU DUTU, JOHN SLICE JUNE 14, 2015

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

CSE543 - Computer and Network Security Module: Virtualization

Xen and the Art of Virtualization

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

CIS Operating Systems CPU Mode. Professor Qiang Zeng Spring 2018

Virtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

Introduction Construction State of the Art. Virtualization. Bernhard Kauer OS Group TU Dresden Dresden,

CrashOS: Hypervisor testing tool

LINUX Virtualization. Running other code under LINUX

COS 318: Operating Systems

1 Virtualization Recap

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion


Operating Systems 4/27/2015

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

CSE543 - Computer and Network Security Module: Virtualization

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Virtual Memory. Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University

The Future of Virtualization

CS 550 Operating Systems Spring Introduction to Virtual Machines

CS 5600 Computer Systems. Lecture 11: Virtual Machine Monitors

CSE 120 Principles of Operating Systems

Computer Architecture Background

Dan Noé University of New Hampshire / VeloBit

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

Virtual Machine Security

Virtualization and memory hierarchy

Protection and System Calls. Otto J. Anshus

DISCO and Virtualization

Cloud and Datacenter Networking

A Software Solution for Hardware Vulnerabilities

Virtualization History and Future Trends

Chap.6 Limited Direct Execution. Dongkun Shin, SKKU

[537] Virtual Machines. Tyler Harter

CSE543 - Computer and Network Security Module: Virtualization

Administrivia. Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But us:

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions

Advanced Operating Systems (CS 202) Virtualization

Chapter 5 (Part II) Large and Fast: Exploiting Memory Hierarchy. Baback Izadi Division of Engineering Programs

Virtual Machine Monitors!

Xen is not just paravirtualization

Darek Mihocka, Emulators.com Stanislav Shwartsman, Intel Corp. June

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Mechanisms and constructs for System Virtualization

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

Linux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition

CHAPTER 16 - VIRTUAL MACHINES

Virtual Machines and Dynamic Translation: Implementing ISAs in Software

Secure Containers with EPT Isolation

ECE 331 Hardware Organization and Design. UMass ECE Discussion 11 4/12/2018

CS 252 Graduate Computer Architecture. Lecture 15: Virtual Machines

T Jarkko Turkulainen, F-Secure Corporation

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

Hardware OS & OS- Application interface

Virtualisation: The KVM Way. Amit Shah

x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

Lecture 5: February 3

CS370: Operating Systems [Spring 2016] Dept. Of Computer Science, Colorado State University

Virtualization. Guillaume Urvoy-Keller UNS/I3S

BOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES. CS124 Operating Systems Winter , Lecture 5

A fistful of red-pills: How to automatically generate procedures to detect CPU emulators

Intel VMX technology

Transcription:

Testing System Virtual Machines Lorenzo Martignoni 1 Roberto Paleari 2 Giampaolo Fresi Roglia 2 Danilo Bruschi 2 1 Università degli Studi di Udine 2 Università degli Studi di Milano International Conference on Software Testing and Analysis (ISSTA 2010)

Virtual machines An efficient, isolated duplicate of a real machine Popek & Goldberg L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 2

System virtual machines L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 3

System virtual machines A system virtual machine provides a complete system platform which supports the execution of a complete operating system Typically used for: Resources consolidation (e.g., VPS) System integration Development Performance is essential! L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 3

Emulation and native execution Emulation: the environment offered by the physical CPU is simulated by emulating all the instructions Native execution: the environment is simulated by executing as much code as possible directly as-is on the host and by using emulation when that is not possible The trick used to natively run guest code efficiently is to execute both user and system code of the guest on the host, in user-mode Emulation is then used to execute only instructions of the system code that cannot be executed natively on the host L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 4

Popek & Goldberg requirements for efficient virtualization Privileged instruction: an instruction that traps when executed in user-mode and does not when executed in system-mode Sensitive instruction: an instruction that changes the configuration of the resources in the system or whose behavior depends on the configuration of the resources Recall that the trick used by native execution is to execute both user and system code of the guest on the host, in user-mode L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 5

Popek & Goldberg requirements for efficient virtualization Privileged instruction: an instruction that traps when executed in user-mode and does not when executed in system-mode Sensitive instruction: an instruction that changes the configuration of the resources in the system or whose behavior depends on the configuration of the resources Privileged instructions Sensitive instructions All instructions All sensitive instructions trap and can be easily intercepted and emulated L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 5

Popek & Goldberg requirements for efficient virtualization Privileged instruction: an instruction that traps when executed in user-mode and does not when executed in system-mode Sensitive instruction: an instruction that changes the configuration of the resources in the system or whose behavior depends on the configuration of the resources Privileged instructions Sensitive instructions All instructions The code must be statically analyzed and patched to ensure that all sensitive instructions can be intercepted L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 5

Intel x86 is not virtualization friendly The Intel x86 instruction set of the Pentium processor contains 17 sensitive, but not privileged instructions! L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 6

Intel x86 is not virtualization friendly The Intel x86 instruction set of the Pentium processor contains 17 sensitive, but not privileged instructions! An Intel x86 VM based on native execution is as complex as one based on emulation, and prone to the same kind of problems L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 6

Intel x86 is not virtualization friendly The Intel x86 instruction set of the Pentium processor contains 17 sensitive, but not privileged instructions! An Intel x86 VM based on native execution is as complex as one based on emulation, and prone to the same kind of problems New Intel x86 CPUs provide hardware facilities for virtualization (VT-x), but traditional native execution is still widely in use L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 6

What could go wrong if? No kidding, the risk is real! L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 7

What could go wrong if? CVE-2009-2267 VMware Workstation 6.5.x..., when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register. Found by Tavis Ormandy & Julien Tinnes CVE-2009-1542 The Virtual Machine Monitor (VMM) in Microsoft Virtual PC..., does not enforce CPU privilege-level requirements for all machine instructions, which allows guest OS users to execute arbitrary kernel-mode code and gain privileges within the guest OS via a crafted application,... Found by Tavis Ormandy & Julien Tinnes L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 8

Our contribution A testing methodology to test system virtual machines: does the virtual machine behave exactly as the physical one?? = L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 9

Our contribution A testing methodology to test system virtual machines: does the virtual machine behave exactly as the physical one?? = Used to test four system virtual machines: BOCHS, QEMU, VMware, VirtualBox L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 9

EmuFuzzer vs KEmuFuzzer EmuFuzzer (ISSTA 09) Testing is performed by comparing the behavior of the CPU of the VM with the behavior of the physical CPU KEmuFuzzer Testing is performed using the same principle, but the methodology is completely different L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 10

EmuFuzzer vs KEmuFuzzer EmuFuzzer (ISSTA 09) Testing is performed by comparing the behavior of the CPU of the VM with the behavior of the physical CPU Can test only user-mode code KEmuFuzzer Testing is performed using the same principle, but the methodology is completely different Can test both user-mode and system-mode code L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 10

EmuFuzzer vs KEmuFuzzer EmuFuzzer (ISSTA 09) Testing is performed by comparing the behavior of the CPU of the VM with the behavior of the physical CPU Can test only user-mode code Can test only process virtual machines KEmuFuzzer Testing is performed using the same principle, but the methodology is completely different Can test both user-mode and system-mode code Can test system virtual machines L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 10

EmuFuzzer vs KEmuFuzzer EmuFuzzer (ISSTA 09) Testing is performed by comparing the behavior of the CPU of the VM with the behavior of the physical CPU Can test only user-mode code Can test only process virtual machines KEmuFuzzer Testing is performed using the same principle, but the methodology is completely different Can test both user-mode and system-mode code Can test system virtual machines The problem is much more challenging! L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 10

Modelling the behavior of the CPU We can imagine the CPU as an abstract machine A state s = (pc, R, M, E) of the abstract machine consists of: pc state of the program counter R state of the CPU/FPU registers M state of the (physical) memory E exception state (e.g.,, PF, GPF, UD) L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 11

Modelling the behavior of the CPU To execute an instruction means to transition into a new state s = (pc, R, M, E) L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 12

Modelling the behavior of the CPU To execute an instruction means to transition into a new state s = (pc, R, M, E) s = (pc, R, M, ) the instruction is successfully executed pc points to the next instruction, R and M are updated according to the semantics of the instruction executed L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 12

Modelling the behavior of the CPU To execute an instruction means to transition into a new state s = (pc, R, M, E) s = (pc, R, M, ) the instruction is successfully executed an exception occurred s = (pc, R, M, E ) E denotes the exception occurred, pc, R, and M are not updated since the execution of the instruction is atomic L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 12

Transparency to guests? = The guest (OS and applications) must not be able to distinguish between a physical and a virtual machine L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Transparency to guests? = The guest (OS and applications) must not be able to distinguish between a physical and a virtual machine Lack of transparency is highly related to the existence of bugs L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Transparency to guests s = (pc, R, M, ) L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Transparency to guests s = (pc, R, M, ) s = (pc, R, M, E ) s = (pc, R, M, E ) =? L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Transparency to guests s = (pc, R, M, ) s = (pc, R, M, E ) s = (pc, R, M, E ) = The VM is transparent to the guest, for the state s, if the state resulting from the execution in the two environments match L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Transparency to guests s = (pc, R, M, ) s = (pc, R, M, E ) s = (pc, R, M, E ) The VM is not transparent to the guest, for the state s, if the state resulting from the execution in the two environments differ L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 13

Challenges in testing system virtual machines Our definition of transparency assumes that the execution is deterministic: Render the execution as such The state space is enormous: Focus efforts on states that requires emulation Testing of privileged instruction require to execute code in system-mode: Guarantee that we can always regain the control of the execution L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 14

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel High-level test-case template A custom compiler mutates and compiles the template L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel Custom kernel used to bootstrap the virtual machine and to executed the test-case L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel Bootable floppy image to boot the kernel in a virtual or physical machine L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel Off-the-shelf VM extended to dump to disk the state of the CPU when a command is received on a specific I/O port L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel Oracle based on a hardware assisted VM (initial state is forced manually) L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Architecture of KEmuFuzzer Test-case s Oracle s Bootable floppy Virtual machine s? = Kernel Off-line diffing utility used to compare output states L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 15

Mutating test-cases (protocol specific fuzzing) Test-cases contain operations that are believed to be significant for the testing (e.g., that trigger corner-case situations) Symbolic operators (KEF ) allows to generate multiple significant test-cases from the same input L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 16

Mutating test-cases (protocol specific fuzzing) Test-cases contain operations that are believed to be significant for the testing (e.g., that trigger corner-case situations) Symbolic operators (KEF ) allows to generate multiple significant test-cases from the same input <testcase start_ring="0"> <ring0> // Register syscall handler... // Jump to ring3 code KEF_JUMP_RING(3); </ring0> <ring3> // Invoke syscall mov $0x25, %eax; KEF_PREFIX sysenter; </ring3> </testcase> <testcase start_ring="0"> <ring0> // Load flat data segment... // Calculate PTE address movl KEF_RING_BASE(3), %eax;...do some math on %eax... addl KEF_PT_BASE, %eax; // Flip some bits in the PTE movl (%eax), %ebx; btc KEF_INTEGER(5), %ebx; movl %ebx, (%eax);... // Jump to ring3 code KEF_JUMP_RING(3); </ring0> <ring3> movb $0x0, 0x0; </ring3> </testcase> L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 16

VT-x based oracle Modern x86 CPUs (with VT-x extensions) have built-in support for virtualization L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

VT-x based oracle Modern x86 CPUs (with VT-x extensions) have built-in support for virtualization Specific assumptions about our peculiar guest allow to develop a minimalistic VT-x based VM that can be used as a oracle L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

VT-x based oracle User-mode System-mode VM controller GNU/Linux /dev/kvm Oracle VM Test-case Kernel Ring 3 Ring 2 Ring 1 Ring 0 Minimalistic KVM-based VM Non-root mode Root mode L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

VT-x based oracle User-mode System-mode VM controller GNU/Linux /dev/kvm Oracle VM Test-case Kernel Ring 3 Ring 2 Ring 1 Ring 0 Minimalistic KVM-based VM Non-root mode Root mode Test-case executed as-in in a VM L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

VT-x based oracle User-mode System-mode VM controller GNU/Linux /dev/kvm Oracle VM Test-case Kernel Ring 3 Ring 2 Ring 1 Ring 0 Minimalistic KVM-based VM Non-root mode Root mode Hardware assisted VM monitor executes in root-mode L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

VT-x based oracle User-mode System-mode VM controller GNU/Linux /dev/kvm Oracle VM Test-case Kernel Ring 3 Ring 2 Ring 1 Ring 0 Minimalistic KVM-based VM Non-root mode Root mode The user-space controller interacts with the VM monitor to launch the VM and to dump the final state L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 17

Experimental evaluation Tested VMs VirtualBox OSE (3.0.8) VMware Workstation (7.0) QEMU (0.11.0) BOCHS (7 nov 2009) Oracle Intel Core2 Duo (3.00GHz) Operating mode 32-bit protected mode L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 18

Experimental evaluation Tested VMs VirtualBox OSE (3.0.8) VMware Workstation (7.0) QEMU (0.11.0) BOCHS (7 nov 2009) Oracle Intel Core2 Duo (3.00GHz) Operating mode 32-bit protected mode Test-cases Generated 1915 test-cases from 67 manually written templates Correct instruction decoding and privileges enforcement Behavior of the CPU with abnormal MMU configurations Attempt to execute random code Some of the test-cases used with EmuFuzzer L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 18

Templates and test-cases producing differences Templates Test-cases BOCHS QEMU VirtualBox VMware 100 200 300 400 500 600 700 800 900 1000 L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 19

Templates and test-cases producing differences Templates Test-cases BOCHS QEMU VirtualBox VMware 100 200 300 400 500 600 700 800 900 1000 sysenter corrupts the state of a segment, GDT entries are not properly updated L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 19

Templates and test-cases producing differences Templates Test-cases BOCHS QEMU VirtualBox VMware 100 200 300 400 500 600 700 800 900 1000 Crashes when certain hw breakpoints, raises wrong exceptions, accepts illegal instructions,... L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 19

Templates and test-cases producing differences Templates Test-cases BOCHS QEMU VirtualBox VMware 100 200 300 400 500 600 700 800 900 1000 Unable to run in native execution mode with KEmuFuzzer s kernel, manifests most of the issues found in QEMU L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 19

Templates and test-cases producing differences Templates Test-cases BOCHS QEMU VirtualBox VMware 100 200 300 400 500 600 700 800 900 1000 retn instruction might corrupt the stack, GDT entries are not properly updated L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 19

CVE-2009-2267 Latest version of the kernel supports VM86 tasks/segments L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 20

CVE-2009-2267 Latest version of the kernel supports VM86 tasks/segments KEmuFuzzer identified the problem in VMware L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 20

CVE-2009-2267 Latest version of the kernel supports VM86 tasks/segments KEmuFuzzer identified the problem in VMware KEmuFuzzer identified the problem in QEMU as well L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 20

CVE-2009-2267 Latest version of the kernel supports VM86 tasks/segments KEmuFuzzer identified the problem in VMware KEmuFuzzer identified the problem in QEMU as well We are getting ready for large scale testing of VM86 mode :-) L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 20

In summary L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 21

In summary L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 21

In summary L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 21

In summary L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 21

In summary http://code.google.com/p/kemufuzzer L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 21

Testing system virtual machines Test-case s Oracle s s? = Bootable floppy Virtual machine Kernel http://code.google.com/p/kemufuzzer Thank you! Any questions? Lorenzo Martignoni lorenzo.martignoni@uniud.it L. Martignoni, R. Paleari, G. Fresi Roglia, D. Bruschi Testing System Virtual Machines 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback