Implement a snapshot fuzzing device
Summary: Add a new emulated device for rapid guest-initiated snapshot/restore functionality for fuzzing.
Fuzz testing runs a program with random inputs to find bugs that lead to crashes or other program failures. Fuzz testing is a popular technique for finding security bugs.
Many recent fuzzing projects rely on snapshot/restore functionality [1,2,3,4,5]. For example tests/fuzzers that target large targets, such as OS kernels and browsers benefit from full-VM snapshots, where solutions such as manual state-cleanup and fork-servers are insufficient. Many of the existing solutions are based on QEMU, however there is currently no upstream-solution. Furthermore, hypervisors, such as Xen have already incorporated support for snapshot-fuzzing. In this project, you will implement a virtual-device for snapshot fuzzing, following a spec agreed-upon by the community. The device will implement standard fuzzing APIs that allow fuzzing using engines, such as libFuzzer and AFL++. The simple APIs exposed by the device will allow fuzzer developers to build custom harnesses in the VM to request snapshots, memory/device/register restores, request new inputs, and report coverage.
Project goals include:
- Adding a new emulated device for snapshot fuzzing into QEMU.
- Writing documentation and final editing of the hardware interface specification so fuzzer developers can learn how to take advantage of the device from inside a guest.
- Project size: 350 hours
- Difficulty: intermediate
- Required skills: C programming
- Desirable skills: previous experience with fuzzing and/or device driver development
- Topic/Skill Areas: Fuzzing, OS/Systems/Drivers
- Mentor: Alexander Bulekov <firstname.lastname@example.org> (a1xndr on IRC)