Necofuzz Enables Effective Fuzzing of Nested Virtualization, Synthesizing VMs Near Validity Boundaries with 74.2% and 84.7% Effectiveness

Nested virtualization, a technology now central to modern cloud computing, introduces significant complexity and potential security weaknesses into hypervisors, the software that powers virtual machines. Reima Ishii from The University of Tokyo, Takaaki Fukai from the National Institute of Advanced Industrial Science and Technology, and Takahiro Shinagawa from The University of Tokyo, have developed NecoFuzz, a novel framework that systematically identifies vulnerabilities within this complex system. NecoFuzz overcomes the challenge of testing nested virtualization by intelligently generating virtual machines with internal states specifically designed to expose hidden flaws, guided by a detailed understanding of hardware specifications. This innovative approach achieves remarkably high code coverage and, crucially, uncovers six previously unknown vulnerabilities across multiple hypervisors, including two that have already been assigned Common Vulnerabilities and Exposures (CVE) identifiers, thereby significantly enhancing the security of cloud platforms.

Fuzzing Nested Virtualization For Hypervisor Security This collection of resources focuses on virtualization security, specifically the challenges and techniques surrounding nested virtualization environments. Nested virtualization, where virtual machines run within other virtual machines, introduces increased complexity and a larger attack surface. A central theme is fuzzing, a dynamic testing method that provides invalid or unexpected data to a system to uncover vulnerabilities, applied to hypervisors like Xen and KVM, and the virtual devices they emulate. Researchers have also documented specific vulnerabilities discovered in virtualization systems, identified by Common Vulnerabilities and Exposures (CVE) identifiers. Key technologies mentioned include Xen, KVM, VMware, Oracle Cloud Infrastructure, Microsoft Hyper-V, Bochs, and the Linux kernel. The resources cover a range of approaches, including greybox fuzzing, which uses partial knowledge of the system’s internal state, and snapshotting, which allows for quick recovery from crashes. Researchers also explore techniques like affine types and symbolic execution to improve the effectiveness of fuzzing.

Specification Guided Fuzzing of Nested Virtualization Scientists developed NecoFuzz, a novel fuzzing framework specifically designed to identify vulnerabilities within nested virtualization systems, a growing area of cloud computing. Recognizing the increased complexity and attack surface introduced by nested virtualization, the team engineered a system to systematically explore the security of hypervisors, overcoming the challenge of generating effective virtual machine inputs with vast state spaces. NecoFuzz synthesizes executable virtual machines, termed “fuzz-harness VMs”, with internal states positioned near the boundary between valid and invalid configurations, guided by a detailed model of hardware-assisted virtualization specifications. This specification-guided approach significantly improves coverage of security-critical code across different hypervisors by focusing on areas most likely to contain errors. To achieve precise validation, the team implemented a VM state validator that operates directly on the physical CPU. This validator sets generated VM Control Structure (VMCS) configurations, attempts a virtual machine entry, and then compares the resulting VMCS state with expected values. By utilizing the physical CPU as an oracle, the system not only verifies the correctness of the VMCS but also validates the implementation of the VM state validator itself, ensuring a high degree of accuracy. This method, inspired by CPU emulator fuzzing, reverses the process to verify a component of the fuzzer, enabling more accurate testing of boundary checks in nested virtualization code. Recognizing that VM configuration significantly influences hypervisor behavior, scientists incorporated a vCPU configurator to explore a wide range of settings. This configurator mutates startup parameters passed to the level-zero hypervisor, generating diverse VM configurations and exercising interactions across hypervisor components. The vCPU configurator consists of a hypervisor-independent core that generates configurations from fuzzing inputs, coupled with a small adapter connecting to each level-zero hypervisor, enabling easy adaptation across different platforms. The entire fuzzing framework leverages AFL++, with a custom agent program connecting the fuzzer, the fuzz-harness VM, and the target hypervisor, collecting coverage data through hypervisor-specific mechanisms like kcov and gcov. The core fuzzing logic within the fuzz-harness VM is orchestrated by an executor, implemented as a UEFI application, and runs with privileges to execute instructions in both hypervisor and guest contexts. This innovative approach achieved 84. 7% and 74. 2% code coverage for nested virtualization-specific code on Intel VT-x and -V, respectively, and uncovered six previously unknown vulnerabilities across three hypervisors, including two assigned Common Vulnerabilities and Exposures (CVE) identifiers. NecoFuzz Achieves High Coverage in Nested Virtualization Scientists developed NecoFuzz, a novel fuzzing framework specifically designed to target nested virtualization logic within hypervisors, achieving significant breakthroughs in security testing. This work addresses a critical gap in existing hypervisor fuzzing techniques, which previously struggled to effectively analyze the complex state spaces inherent in nested virtualization environments. NecoFuzz synthesizes executable virtual machine (VM) instances with internal states positioned near the boundary between valid and invalid configurations, guided by a detailed model of hardware-assisted virtualization specifications. Experiments demonstrate that NecoFuzz achieves 84. 7% code coverage for nested virtualization-specific code on Intel VT-x and 74. 2% on Intel VT-V, representing a substantial improvement in testing depth. The framework uncovered six previously unknown vulnerabilities across three hypervisors, including two assigned Common Vulnerabilities and Exposures (CVE) identifiers, confirming its effectiveness in identifying real-world security flaws.

The team achieved this by partitioning fuzzing input and dispatching it to three key components: a VM execution harness, a VM state validator, and a vCPU configurator. The VM execution harness mutates execution order and parameters within the VM, while the VM state validator alters the VM Control Structure (VMCS) to generate diverse VM states. The vCPU configurator modifies combinations of supported virtual CPU features, further expanding the range of tested configurations. By running the hypervisor on bare metal, the researchers ensured a controlled environment for accurate testing and analysis, delivering a powerful new tool for enhancing the security of cloud infrastructure. NecoFuzz Enhances Nested Hypervisor Security Testing NecoFuzz represents a significant advancement in hypervisor security testing, becoming the first fuzzing framework specifically designed for nested virtualization environments. Researchers developed a system that efficiently generates complete virtual machine instances, termed fuzz-harness VMs, to systematically explore security-critical logic within hypervisors. This approach focuses on the boundary between valid and invalid virtual machine states, guided by models of hardware-assisted virtualization specifications, thereby improving the effectiveness of security testing. Evaluation of NecoFuzz on Intel VT-x and AMD-V platforms, applied to KVM, Xen, and VirtualBox, demonstrates substantial improvements in code coverage of nested virtualization-specific code compared to existing fuzzing tools, including Syzkaller. Importantly, the framework uncovered six previously unknown vulnerabilities across the three hypervisors tested, with two of these vulnerabilities receiving Common Vulnerabilities and Exposures (CVE) assignments. These findings establish NecoFuzz as a practical and effective tool for addressing the previously unexplored attack surface of nested virtualization. 👉 More information 🗞 NecoFuzz: Effective Fuzzing of Nested Virtualization via Fuzz-Harness Virtual Machines 🧠 ArXiv: https://arxiv.org/abs/2512.08858 Tags: