A virtual machine fuzzing system and method based on host memory state feedback

Abstract

A virtual machine fuzzing system and method based on host memory state feedback is disclosed. The system includes: an AFL++-based fuzzing engine module, a QEMU-based virtual machine execution module, a memory state acquisition module, a dual-feedback guidance module, and a vulnerability monitoring module. The method involves: starting the test and initializing memory state monitoring; generating test cases, hereinafter referred to as "seeds," and injecting them into the DMA interface of the virtual machine target device for execution; collecting real-time host memory state change data caused by the seeds, including the number of dirty memory pages and / or the number of affected heap memory blocks; calculating the amount of memory state change; iterating cyclically and monitoring vulnerabilities. This invention innovatively introduces host memory state as a novel feedback signal, forming a dual-feedback drive with code coverage, which can selectively and preferentially explore input paths that have a substantial impact on host memory, significantly improving the efficiency and targeting of discovering memory-related high-risk vulnerabilities in the virtual machine manager.

Description

Technical Field

[0001] This invention belongs to the field of virtual machine manager technology, specifically relating to a virtual machine fuzzing system and method based on host memory status feedback. Background Technology

[0002] The hypervisor is a core component of cloud computing and virtualization technologies, responsible for resource isolation, hardware emulation, and efficient scheduling among multiple virtual machines (VMs). A virtual machine is a virtualized instance of a complete computer system's operating environment, while virtual devices are components within this virtual environment used to simulate specific hardware functions such as network cards, disks, and USB controllers. QEMU achieves I / O interaction between the guest and host through highly flexible device emulation mechanisms (such as VirtIO series, USB EHCI, PCIe devices, IDE / SATA, etc.). DMA (Direct Memory Access) is the critical path, allowing virtual devices to directly read and write guest physical memory (via QEMU's dma_memory_read / write API) and adhere to relevant hardware specifications (such as OASIS VirtIO v1.2, Intel EHCI Specification, etc.).

[0003] Fuzzing has become one of the mainstream techniques for discovering vulnerabilities in complex software systems, especially suitable for components with large code size and complex logic, such as Hypervisors. Fuzzing monitors the behavior of a target program by inputting a large amount of random or semi-random data to discover anomalies or crashes, thereby locating potential vulnerabilities. Gray-box fuzzing combines code coverage information to guide seed selection and mutation processes, improving testing efficiency. AFL++ is one of the most advanced gray-box fuzzing tools currently available. Its core mechanisms include: (1) code coverage collection through LLVM / GCC instrumentation (mainly edge coverage and basic block coverage); (2) seed scheduling and energy allocation based on coverage information, prioritizing the mutation of seeds that trigger new paths; (3) various efficient mutation strategies (such as havoc, splice, dictionary insertion, etc.); and (4) support for custom extensions (such as custom mutator, post library, feedback mechanism). AFL++ has been widely used in projects such as the QEMU official fuzzing infrastructure, LibAFL QEMU, and V-Shuttle, becoming an important tool for Hypervisor vulnerability discovery.

[0004] Existing technical solutions: Among existing technologies, the closest implementations to this invention mainly focus on coverage-guided fuzzing tools, snapshot-optimized hypervisor fuzzing frameworks, and protocol-aware and structured mutation schemes. Gray-box fuzzers such as AFL++, Honggfuzz, and LibFuzzer implement coverage-driven seed scheduling and mutation through code instrumentation, and have been applied to QEMU's generic-fuzzing targets and some virtual device fuzzing, supporting efficient seed selection and energy scheduling mechanisms. Snapshot-optimized frameworks such as V-Shuttle (ACSAC 2021) propose a semantics-aware DMA input generation and snapshot mechanism, utilizing dirty pages for efficient state recovery; LibAFL QEMU (BAR 2024) provides a modular QEMU fuzzing backend, supporting snapshots and memory hooks; Nyx / Snapchange (USENIX Security 2021 / 2024) achieves high-performance snapshot fuzzing based on KVM dirty logging, with dirty pages used for rapid VM state reset. Protocol-aware solutions such as VIDEZZO (USENIX Security 2023) propose lightweight syntax annotation and field dependency-aware mutators for QEMU virtual device DMA input, enabling field-by-field mutation and dependency repair; Morphuzz (USENIX Security 2022) handles DMA protocol malformation generation through the approach of bending input space. In addition, HYPERPILL (USENIX Security 2024) utilizes hardware-assisted tracing of Hypervisor memory access patterns, while NecoFuzz ​​(arXiv 2025) focuses on nested virtualization fuzzing, using Harness VMs to construct test environments.

[0005] The aforementioned solutions have achieved significant progress in coverage guidance, snapshot efficiency, and protocol structure awareness, providing an important technical foundation for Hypervisor vulnerability discovery. Building upon this work, this invention further introduces host memory state as a novel feedback signal to achieve more security-oriented fuzzing optimization.

[0006] The shortcomings of existing technologies: Some virtual machine manager fuzzing techniques mainly rely on code coverage guidance from tools such as AFL++, and snapshot optimization frameworks (such as V-Shuttle [V-Shuttle: Semantics-AwareHypervisor Virtual Device Fuzzing[C] / / Proceedings of the Annual Computer Security Applications Conference (ACSAC). 2021. https: / / nesa.zju.edu.cn / download / pgn_pdf_V-SHUTTLE.pdf.], LibAFL QEMU [LibAFL QEMU: A Library for Fuzzing-oriented Emulation[C] / / Binary Analysis Research Workshop (BAR). 2024. https: / / www.ndss-symposium.org / wp-content / uploads / bar2024-7-paper.pdf], Nyx [SCHUMILO S, ASCHERMANN C, ABBASI A, et al. Nyx: Greybox Hypervisor Fuzzingusing Fast Snapshots and Affine Types[C] / / 30th USENIX Security Symposium(USENIX Security 21). Vancouver, BC: USENIX Association, 2021: 2597-2614.https: / / www.usenix.org / system / files / sec21-schumilo.pdf]) Existing snapshot-based fuzzing frameworks (such as V-Shuttle and Nyx) do track dirty pages, but their purpose is only for "state reset / snapshot recovery performance optimization," which is an internal performance metric.This invention innovatively transforms the same type of memory state information (dirty pages, affected heap blocks) from "performance indicators" into "security threat perception and guidance signals" to drive seed selection, which further highlights the creative transformation and technical contribution of this invention. Protocol-aware mutation schemes (such as VIDEZZO [LIU Q, ZHANG C, et al. VIDEZZO: Dependency-aware Virtual Device Fuzzing [C] / / 32nd USENIX Security Symposium (USENIX Security 23). Anaheim, CA: USENIX Association, 2023], Morphuzz [Morphuzz: Bending Input Space for Virtual Device Fuzzing [C] / / 31st USENIX Security Symposium (USENIX Security 22). Boston, MA: USENIX Association, 2022]), although they have made progress in coverage efficiency, state recovery and input generation, have a single feedback signal, focusing only on code path coverage and lacking the ability to perceive the actual impact on host memory. Memory metrics such as dirty pages are only used for snapshot performance optimization and are not transformed into guiding signals for fuzzing. This makes it difficult to quantify the threat level of input to the host machine, and makes it impossible to prioritize the exploration of paths that may actually cause high-risk vulnerabilities such as VM escape, heap corruption, or memory pollution. Overall, the mining efficiency and targeting are insufficient, and the false negative rate is high. Summary of the Invention

[0007] To overcome the problems existing in the prior art, the present invention discloses a virtual machine fuzzing system and method based on host memory state feedback. Using "host memory state feedback" as a novel guidance dimension, it quantifies the range of memory modifications caused by input (number of dirty pages + number of heap chunks), and prioritizes the exploration of high-risk memory interaction paths, filling the gap in memory threat perception in traditional coverage-based guidance. It utilizes the QEMU native dirty bitmap API to count the number of memory page modifications, combined with ASAan shadow memory to count the number of affected heap chunks, to achieve real-time delta calculation and simple judgment (delta > 0 means the seed is retained). It is compatible with existing frameworks and achieves dual-feedback driven seed selection, energy scheduling, and mutation optimization. This invention provides cloud computing vendors, virtualization platform developers, and security researchers with a novel vulnerability discovery method, effectively reducing the risk of malicious exploitation of memory vulnerabilities in virtual machine managers such as QEMU, and providing a reference for subsequent patch development, permission hardening, and security configuration.

[0008] To achieve the above objectives, the present invention adopts the following technical solution: A method for optimizing seed selection in coverage-guided fuzzing, which obtains host memory state change data caused by the execution seed of the target program; Based on the host machine memory state change data, calculate the amount of memory state change corresponding to the current seed, that is, the difference between the data before and after the change; When the change in memory state is greater than zero, it is determined that the current seed causes a substantial modification to the host machine memory, and the priority of generating the seed in subsequent fuzzing iterations is increased.

[0009] In this invention, the seed specifically refers to the test cases generated by the fuzzing engine and input into the DMA interface of the virtual machine target device, which serve as the basic input for triggering program execution, observing feedback information, and continuing to mutate in subsequent iterations.

[0010] A virtual machine fuzzing system based on host memory state feedback includes: The fuzz testing engine module is the core driving unit of the entire testing system. It guides the test loop based on AFL++ code coverage, including seed selection, mutation, and generation. The virtual machine execution module, based on QEMU, provides a high-fidelity virtual device simulation environment, supports full functional simulation of mainstream virtual devices such as VirtIO, USB EHCI, and PCIe, and is used to load the target virtual device and execute the seed injected into its DMA interface. The memory status acquisition module is used to collect data on changes in the host machine's memory status caused by the execution of the seed in real time. The data includes the number of dirty memory pages and / or the number of affected heap memory blocks. The dual feedback guidance module connects the memory state acquisition module and the fuzz test engine module. It is used to calculate the change amount corresponding to the memory state change data, and when the change amount is greater than zero, it sends an instruction to the fuzz test engine module to place the generated current seed into the high priority set. The vulnerability monitoring module is used to monitor the status of the virtual machine execution module and capture vulnerability information when an anomaly is detected.

[0011] A virtual machine fuzzing method based on host memory state feedback, executed in the virtual machine fuzzing based on host memory state feedback, includes the following steps: Step 1: Start the AFL++ fuzz testing engine and QEMU virtual machine, initialize the host machine memory status monitoring, and generate test cases, also known as seeds; the initialization includes resetting the baseline state used to record memory modifications; Step 2: The AFL++ fuzzing engine selects seeds from the seed queue based on code coverage information. The basic principle is to prioritize input samples that bring new coverage—that is, seeds that trigger new edge coverage or improve existing path coverage are added to the queue and participate in subsequent scheduling. During the seed selection and energy allocation phase, AFL++ comprehensively considers factors such as sample execution time, input size, path rarity, and historical fuzzing performance. Seeds that trigger new code execution paths are retained in the seed pool. AFL++ mutates these seeds to give the retained seeds more mutation opportunities, achieving a balance between testing overhead and exploration depth. Subsequently, the selected seeds undergo standard mutations, including havoc random mutation, splice fragment splicing mutation, and dictionary injection mutation, to generate new seeds. Step 3, Test Execution and Memory Status Acquisition: Input all seeds from Steps 1 to 2 into the DMA interface of the target virtual device in the QEMU virtual machine and execute them; during and after execution, collect real-time data on changes in the host machine's memory status caused by the seeds; the memory status change data includes: the number of dirty memory pages written by the QEMU virtual machine, and / or, the number of affected heap memory blocks; Step 4: Calculate the amount of memory state change corresponding to the current seed based on the memory state change data collected in Step 3; if the amount of memory state change is greater than zero, it is determined that the current seed has caused a substantial modification to the host machine memory, and the seed is retained in the high-priority seed set for priority scheduling in subsequent fuzzy testing loops. Step 5: Update the seed queue based on the decision result of step 4, and repeat steps 2 to 4; and monitor the running status of the QEMU virtual machine during the test execution. When a crash or anomaly is detected, record the seed that triggers the vulnerability and related context information.

[0012] In step 3, the number of dirty memory pages is collected by hooking the cpu_physical_memory_set_dirty_range function of the QEMU virtual machine or by utilizing its dirty page bitmap mechanism.

[0013] In step 3, the number of affected heap memory blocks is counted using an address sterilizer tool.

[0014] In step 4, if the amount of memory state change is zero, then the fuzzing engine decides whether to retain the current seed based on the original decision rules of code coverage.

[0015] In step 4, reserving the seed in the high-priority seed set specifically includes: adding an identifier to the seed and enabling the fuzzing engine to allocate higher mutation energy or a higher selection probability to the seed in subsequent seed scheduling.

[0016] The DMA interface of the target virtual device is the DMA interface of a VirtIO device, a USB EHCI device, or a PCIe device.

[0017] An electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the virtual machine fuzzing method based on host memory state feedback.

[0018] A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the virtual machine fuzzing method based on host memory state feedback.

[0019] Compared with the prior art, the present invention has the following advantages: 1. It innovatively achieved safe redirection of feedback signals, filling a perception gap.

[0020] Existing technologies, such as AFL++, use feedback signals (code coverage) designed to maximize code path exploration, making them breadth-oriented signals. While snapshot optimization frameworks (such as V-Shuttle and Nyx) utilize memory states like dirty pages, their purpose is limited to performance optimization through accelerated state resetting, making them efficiency-oriented internal metrics that do not contribute to security threat perception. This invention is the first to creatively transform the same underlying memory state information (number of dirty memory pages, number of affected heap memory blocks) from a "performance metric" into a security threat perception signal. By determining whether the input causes substantial modification to the host machine's memory (delta>0), this invention establishes a new feedback dimension that directly quantifies the degree of security threat posed by the input to the host machine's memory, thus filling the gap in traditional fuzzing testing for host-side memory threat perception.

[0021] 2. A dual-feedback driven collaborative guidance mechanism was constructed, enabling targeted focus on high-risk paths.

[0022] This invention does not simply replace or superimpose feedback signals, but rather organically integrates the aforementioned memory state feedback with mature code coverage feedback to form a dual-feedback driven mechanism. The core decision-making logic of this mechanism is that the corresponding seed is assigned the highest priority only when the test input simultaneously triggers a new code path and causes modification of the host machine's memory. This allows the fuzzing process to automatically filter and continuously focus on high-risk interaction paths that both execute complex code and actually affect the host machine's memory from a massive amount of path exploration. Compared to single coverage guidance, which is prone to getting stuck in shallow path coverage, the dual-feedback mechanism of this invention achieves a fundamental shift from aimless exploration to safety-goal-oriented exploration.

[0023] 3. Significantly improves the efficiency and accuracy of discovering high-risk memory vulnerabilities, demonstrating clear security engineering value.

[0024] Because the aforementioned mechanism is directly related to the core characteristic of high-risk vulnerabilities such as host memory modification, this invention can significantly improve the probability of discovering core memory-related vulnerabilities such as VM escape, DMA out-of-bounds write, heap corruption, and Use-After-Free vulnerabilities. Experiments show that this method can effectively guide test resources to converge more quickly to code regions that truly pose a security threat. Therefore, this invention is not only a methodological innovation but also a security enhancement method with significant engineering practical value. It provides cloud vendors, virtualization platform developers, and security researchers with a testing tool that can proactively and preferentially uncover the most serious threats, helping to discover and patch deep memory vulnerabilities in hypervisors such as QEMU before attackers exploit them, thereby directly improving the security baseline and reliability of cloud computing infrastructure. Attached Figure Description

[0025] Figure 1 This is a diagram of the overall architecture of the solution; Figure 2 This is a flowchart of the memory status feedback process. Detailed Implementation

[0026] The present invention will now be described in further detail with reference to the accompanying drawings.

[0027] A method for optimizing seed selection in coverage-guided fuzz testing involves acquiring host memory state change data caused by seed execution and adjusting the priority of the corresponding seed based on whether the change data is greater than zero.

[0028] like Figure 1 The overall framework of this invention is as follows: A virtual machine fuzzing system based on host memory state feedback, including... The fuzzing engine module is the core driving unit of the entire testing system. Based on AFL++ code coverage, it guides the test loop, including seed selection, mutation, and seed generation. Its main architecture can be summarized as consisting of target program instrumentation, seed queue management, input mutation generation, program execution feedback, and anomaly detection and storage. First, AFL++ collects code coverage information during QEMU program execution through compile-time instrumentation or dynamic instrumentation, mapping the execution path to a shared memory bitmap as the core feedback basis for gray-box fuzzing. Second, the fuzzer maintains a seed queue based on coverage changes, prioritizing input samples that can bring new coverage or have high testing value. Then, AFL++ performs deterministic and random mutations on the selected seeds to generate new seeds. Finally, the system determines whether the input triggered a new path, timed out, or crashed based on the program execution results, and saves and classifies valuable seed samples and anomalous samples. The virtual machine execution module, based on the QEMU device emulation framework, is used to build a high-fidelity virtual device execution environment. This module leverages QEMU's device model, bus model, address space management, and DMA access mechanism to support functional emulation of mainstream virtual devices such as VirtIO, USB EHCI, and PCIe. Specifically, the module first starts a QEMU instance and loads the target virtual device, initializing the device's bus, register space, and guest physical memory mapping. Then, it parses fuzz test samples into DMA descriptors, data buffers, and control parameters, writing them into guest memory or the corresponding device registers. Afterward, it triggers the device processing flow through MMIO / PIO write operations, queue notifications, or interrupts, causing the target device model to call the DMA read / write interface to access guest memory and execute corresponding data processing logic. During this process, the module synchronously collects execution status, exception information, and memory change information, feeding the results back to the vulnerability detection module to achieve automated test execution for the virtual device DMA interface. The memory status acquisition module is used to collect data on changes in the host machine's memory status caused by the execution of the seed in real time. The data includes the number of dirty memory pages and / or the number of affected heap memory blocks. A dual-feedback guidance module, connecting the memory state acquisition module and the fuzzy testing engine module, is used to calculate the change amount corresponding to the memory state change data. Let d represent the change amount of dirty pages. dirty The change in the number of heap memory allocation blocks is h. heap And define the amount of memory state change as delta. When d dirty or h heap When any indicator is greater than 0, the current input is considered to have caused a significant change in memory state, and delta is set to 1. That is, when the change is greater than zero, an instruction is sent to the fuzzing engine module to add the current seed to the high-priority set; if delta is 0, the current seed is selected normally according to the coverage feedback mechanism of the AFL++ fuzzing engine, and its determination method can be expressed as follows: .

[0029] The vulnerability monitoring module is used to monitor the status of the virtual machine execution module and capture vulnerability information when an anomaly is detected.

[0030] Based on the above system, the specific execution flow of the present invention is as follows (as shown in Figure 2), with each step interconnected to form a complete closed-loop testing system: Step 1: First, initiate the initialization process of the AFL++ fuzzing engine, complete the configuration of core engine parameters, load instrumentation rules, and import the collected and organized initial seed queue. The seeds in this queue are all input data conforming to the DMA interface protocol specification, such as the qTD / QH descriptor chain of a USB EHCI device, descriptor data of a VirtIO device, etc. Then, start the QEMU virtual machine simulation environment, enable the GCC compiler instrumentation function to achieve code coverage collection, and load the memory state tracking module to enable host memory modification monitoring. As shown in Figure 2, before the fuzzing loop officially starts, baseline state initialization must be completed: reset the dirty bitmap, initialize the heap state baseline values ​​(set the initial value of dirty page count to 0, and the initial value of heap chunks affected to 0), to ensure accurate calculation of subsequent memory state changes.

[0031] Step 2: Based on traditional code coverage analysis, the AFL++ fuzzing engine comprehensively considers factors such as sample execution time, input size, path rarity, and historical fuzzing performance during seed selection. Samples with shorter execution times typically have higher testing efficiency, triggering more mutations and executions per unit time, and are therefore prioritized. Samples with smaller input sizes are easier to mutate quickly and help reduce the impact of redundant data on testing efficiency, thus usually having higher priority. Samples with higher path rarity have higher exploration value because they cover less frequently accessed program paths, thus receiving more mutation opportunities. Furthermore, if a sample is more likely to generate new paths or trigger effective feedback during historical fuzzing, it indicates strong potential utilization value, and AFL++ will further increase its selection probability. Seeds with high "interest" (such as those capable of covering new paths) are selected from the seed queue, and standard mutation strategies are applied to them—including havoc random mutation, splice fragment splicing mutation, and dictionary injection mutation. A variety of candidate input sequences are generated through mutation operations, and then these candidate inputs are injected into the DMA interface of the target virtual device in the QEMU virtual machine to trigger DMA data transfer and related logic execution.

[0032] Step 3: After receiving the candidate input, the QEMU virtual machine initiates the virtual device simulation process, executing the DMA interface-related interaction logic and data transfer operations. During this process, QEMU automatically tracks the generation and quantity changes of dirty memory pages through built-in APIs such as cpu_physical_memory_set_dirty_range; simultaneously, it uses the ASAn (AddressSanitizer) tool to count the number of affected heap chunks in real time. After a DMA interaction is completed, the memory status acquisition module immediately collects the current number of dirty pages and the change in heap chunks, compares it with the baseline value set in Step 1, and calculates the memory status change delta value—if delta > 0, it indicates that the candidate input has caused a substantial modification to the host memory (see Figure 2).

[0033] Step 4: The memory status feedback guidance module receives the delta value output in Step 3 and executes the judgment logic: if delta > 0 (i.e., the seed corresponding to the current candidate input can trigger host memory modification), then it and its variants are retained in the seed pool for subsequent mutation and execution; if delta = 0 (i.e., no host memory modification is triggered), then the traditional code coverage rules of AFL++ are used to determine whether to retain the seed. The core value of this feedback guidance mechanism is to ensure that the fuzzing process prioritizes exploring input paths that have a real impact on host memory.

[0034] Step 5: Repeat steps 2 through 4 to initiate continuous closed-loop fuzz testing iterations. Throughout the testing process, the vulnerability detection and output module monitors the running status of the QEMU virtual machine, capturing vulnerability characteristics such as crashes, runtime anomalies, and memory access errors in real time. When a potential vulnerability is detected, it automatically records and outputs complete vulnerability-related information, including the test seed that caused the vulnerability, the function call stack at the time of the crash, the memory modification log, and the system state at the time the vulnerability was triggered, providing comprehensive and accurate data support for subsequent vulnerability reproduction, root cause analysis, and remediation verification.

[0035] The technical solution of this invention is based on AFL++ code coverage guidance technology, and innovative optimizations are made to address its limitations in virtual machine DMA interface vulnerability mining.

[0036] AFL++'s core seed selection strategy primarily relies on code coverage information: through GCC or LLVM compiler instrumentation technology, it accurately collects edge coverage and block coverage data of the target program, prioritizes seeds that can trigger new coverage paths to be included in the test queue, and marks them as "favorite" seeds to allocate more mutation resources; its power schedule mechanism further allocates energy values ​​based on the "interest" indicators of the seeds (including the number of new path discoveries, execution speed, coverage, etc.), and high-energy seeds can get more iterations in the havoc mutation stage to deeply explore potential paths. In terms of mutation strategy design, AFL++ adopts a combination of deterministic mutations and havoc mutations: deterministic mutations include sequential operations such as bit-flip, byte-flip, and arithmetic insertion, which are suitable for basic path exploration of the initial seed; havoc mutations integrate diverse methods such as splice, dictionary insertion, and stacked mutations, which can generate rich test inputs and support custom mutator extensions to adapt to complex protocol test scenarios.

[0037] The core fuzzing target of this invention is the DMA (Direct Memory Access) interface of virtual hardware devices in the QEMU virtual machine. At the technical implementation level, QEMU's DMA interface allows virtual devices to directly access guest physical memory (GPA, Guest Physical Address) and complete data read and write operations through QEMU's built-in dma_memory_read and dma_memory_write core APIs. Different types of virtual device DMA interfaces follow their own specific protocol specifications: for example, VirtIO devices use a virtqueue descriptor chain structure, USB EHCI devices use a qTD / QH linked list structure, and PCIe devices use a descriptor ring structure. The descriptors defined in these protocol specifications all contain fixed data structures, mainly covering core fields such as address pointer (addr), transfer length (len), and control flags (flags). QEMU performs scatter-gather DMA operations based on these fields, supporting data transfer across memory pages. It is worth noting that the technical complexity of the DMA interface (such as overlapping address pointers, mismatched transfer lengths, and abnormal flag configurations) makes it a high-risk area for memory vulnerabilities in the QEMU virtual machine. These vulnerabilities often directly lead to serious security issues such as unauthorized modification of host memory and out-of-bounds access. Therefore, this invention specifically uses the DMA interface as a test object, employing targeted input injection and memory state monitoring to achieve efficient vulnerability discovery.

[0038] To verify the effectiveness of the virtual machine fuzzing method based on host memory state feedback proposed in this invention, this paper focuses on the ability of the virtual machine manager to discover memory-related vulnerabilities and conducts experimental verification on the constructed fuzzing system. The experiment selects the QEMU virtual machine manager as the test object, and analyzes its anomaly triggering capability and path exploration capability in complex memory interaction scenarios by running the designed fuzzing framework in a unified testing environment.

[0039] The experimental environment was built on a Linux platform, using QEMU version 9.1.1 as the test object. The host machine ran on an x86_64 architecture, equipped with an 8-core processor and 32GB of memory. The fuzzing system used was an extension of the AFL++ framework, enabling real-time monitoring of the host machine's memory access status and capturing abnormal memory behaviors caused by DMA-related operations during the test, including out-of-bounds access, abnormal address jumps, and cross-device memory interactions. During the experiment, the system started from an initial seed set and continuously expanded the test input space through mutation and execution feedback, gradually exploring potentially high-risk execution paths.

[0040] Regarding the selection of test objects, a systematic review of virtual devices involving DMA mechanisms in the QEMU source code was first conducted. By analyzing the call patterns of key interface functions such as dma_memory_read, dma_memory_write, pci_dma_read, and pci_dma_write, and through manual screening based on the data transfer paths of specific devices, a total of 109 DMA-related interfaces were ultimately identified as key test targets. Table 1 shows some of the newer and commonly used types of virtual devices. These interfaces are widely distributed across multiple categories, including network devices, block devices, USB devices, graphics / multimedia devices, and PCI peripherals, and can comprehensively reflect the typical behavioral characteristics of virtual devices during memory interaction.

[0041] Table 1. Statistics of Partial DMA Interfaces Equipment Name Functional Classification Update time npcm_gmac net 2024 npcm7xx_emc net 2020 igb_core net 2020 allwinner-sun8i-emac net 2019 tulip net 2019 sungem net 2017 sunhme net 2017 ftgmac100 net 2016 e1000e.core net 2015 rocker net 2014 imx_fec net 2013 vmxnet3 net 2012 dwc2 USB 2020 ehci USB 2011 xhci USB 2011 via-ac97 audio 2022 intrel-had audio 2010 mptsas scsi 2016 mptconfig scsi 2016 In actual testing, the fuzz testing system continuously explored the aforementioned DMA interface, guiding the testing process deeper into complex device interaction paths through dynamic awareness of the host machine's memory state. Experimental results show that this method can effectively reach critical execution paths involving memory access and detect multiple abnormal behaviors during testing. Among the covered test objects, a total of 9 crashes were captured in 5 virtual devices, indicating that the proposed method has strong practical effectiveness in memory-related defect detection.

[0042] Analysis of the obtained crashes reveals, as shown in Table 2, that the relevant anomalies mainly fall into the following typical categories: First, in the DMA write paths of some devices, there is a lack of effective verification of the target address, causing write operations to exceed the address space of other virtual devices, thus triggering cross-device illegal access anomalies; second, in the interrupt handling or state transition paths of some devices, when the system enters an abnormal state, critical pointers are accessed without sufficient initialization, ultimately leading to null pointer dereference problems; furthermore, in some configuration space access paths, due to the lack of robust verification of input parameters, illegal access requests can directly trigger assertions and cause abnormal program termination. These anomalies were consistently triggered during testing, indicating that the proposed method can effectively capture potential risk behaviors caused by abnormal inputs.

[0043] Table 2. Statistics on Crash Type Classification Related virtual devices Crash type NET FEC DMA out-of-bounds write (2) USB EHCI DMA out-of-bounds write (2) PCI PHB3 Null pointer dereferencing PCI PHB4 Null pointer dereferencing PCI PHB4 ASSERT failed (2 instances) INTC XIVE ASSERT failed. Further analysis during the experiment revealed that the introduction of a host memory state feedback mechanism significantly improved the fuzzing system's ability to detect abnormal behavior. Under the same test objects and initial conditions, the fuzzing method relying solely on the traditional coverage guidance mechanism failed to trigger any crashes after 24 hours of continuous operation. However, with the memory state feedback mechanism proposed in this invention, the system can perceive abnormal memory access behavior in real time during execution and guide the test input based on this feedback, gradually converging the test process towards potentially high-risk paths. Under this mechanism, previously undetected abnormal execution paths were successfully explored within 12 or 24 hours, stably triggering multiple crashes.

[0044] In summary, the experimental results demonstrate that the virtual machine fuzzing method based on host memory state feedback proposed in this invention can effectively detect abnormal behavior in complex memory interaction scenarios within the virtual machine manager, exhibiting strong vulnerability triggering and path exploration capabilities. This method can conduct in-depth testing of high-risk memory operation paths such as DMA, helping to uncover potential defects that are difficult to cover in traditional testing processes, thereby improving the security and stability of virtualization systems and possessing significant engineering application value.

Claims

1. A method for optimizing seed selection in coverage-guided fuzz testing, characterized in that, Obtain data on changes in host machine memory state caused by the execution seed of the target program; Based on the host machine memory state change data, calculate the amount of memory state change corresponding to the current seed, that is, the difference between the data before and after the change; When the change in memory state is greater than zero, it is determined that the current seed causes a substantial modification to the host machine memory, and the priority of generating the seed in subsequent fuzzing iterations is increased.

2. A virtual machine fuzzing system based on host machine memory state feedback, characterized in that, include: The fuzz testing engine module is the core driving unit of the entire testing system. It guides the test loop based on AFL++ code coverage, including seed selection, mutation, and generation. The virtual machine execution module, based on QEMU, provides a high-fidelity virtual device simulation environment, supports full functional simulation of mainstream virtual devices such as VirtIO, USB EHCI, and PCIe, and is used to load the target virtual device and execute the seed injected into its DMA interface. The memory status acquisition module is used to collect data on changes in the host machine's memory status caused by the execution of the seed in real time. The data includes the number of dirty memory pages and / or the number of affected heap memory blocks. The dual feedback guidance module connects the memory state acquisition module and the fuzz test engine module. It is used to calculate the change amount corresponding to the memory state change data, and when the change amount is greater than zero, it sends an instruction to the fuzz test engine module to place the generated current seed into the high priority set. The vulnerability monitoring module is used to monitor the status of the virtual machine execution module and capture vulnerability information when an anomaly is detected.

3. A virtual machine fuzzing method based on host memory state feedback, implemented based on the virtual machine fuzzing system based on host memory state feedback as described in claim 2, characterized in that, Includes the following steps: Step 1: Start the AFL++ fuzz testing engine and QEMU virtual machine, initialize the host machine memory status monitoring, and generate test cases, also known as seeds; the initialization includes resetting the baseline state used to record memory modifications; Step 2: The AFL++ fuzzing engine selects seeds from the seed queue based on code coverage information. The basic principle is to prioritize input samples that bring new coverage—that is, seeds that trigger new edge coverage or improve existing path coverage are added to the queue and participate in subsequent scheduling. During the seed selection and energy allocation phase, AFL++ comprehensively considers factors such as sample execution time, input size, path rarity, and historical fuzzing performance. Seeds that trigger new code execution paths are retained in the seed pool. AFL++ mutates these seeds to give the retained seeds more mutation opportunities, achieving a balance between testing overhead and exploration depth. Subsequently, the selected seeds undergo standard mutations, including havoc random mutation, splice fragment splicing mutation, and dictionary injection mutation, to generate new seeds. Step 3: Input all seeds from Steps 1 to 2 into the DMA interface of the target virtual device in the QEMU virtual machine and execute them; during and after execution, collect real-time data on changes in host memory state caused by the seeds; the memory state change data includes: the number of dirty memory pages written by the QEMU virtual machine, and / or, the number of affected heap memory blocks; Step 4: Calculate the amount of memory state change corresponding to the current seed based on the memory state change data collected in Step 3; if the amount of memory state change is greater than zero, it is determined that the current seed has caused a substantial modification to the host machine memory, and the seed is retained in the high-priority seed set for priority scheduling in subsequent fuzzy testing loops. Step 5: Update the seed queue based on the decision result of step 4, and repeat steps 2 to 4; and monitor the running status of the QEMU virtual machine during the test execution. When a crash or anomaly is detected, record the seed that triggers the vulnerability and related context information.

4. The method according to claim 3, characterized in that: In step 3, the number of dirty memory pages is collected by hooking the cpu_physical_memory_set_dirty_range function of the QEMU virtual machine or by utilizing its dirty page bitmap mechanism.

5. The method according to claim 3, characterized in that: In step 3, the number of affected heap memory blocks is counted using an address sterilizer tool.

6. The method according to claim 3, characterized in that: In step 4, if the amount of memory state change is zero, then the fuzzing engine decides whether to retain the current seed based on the original decision rules of code coverage.

7. The method according to claim 3, characterized in that: In step 4, reserving the seed in the high-priority seed set specifically includes: adding an identifier to the seed and enabling the fuzzing engine to allocate higher mutation energy or a higher selection probability to the seed in subsequent seed scheduling.

8. The method according to claim 3, characterized in that: The DMA interface of the target virtual device is the DMA interface of a VirtIO device, a USB EHCI device, or a PCIe device.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 3 to 8.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 3 to 8.

Images