1.
Introduction
❱
1.1.
Prerequisites
1.2.
The goals of this course
1.3.
Motivation
1.4.
How we achieve the goals
1.5.
What you learn
1.6.
Our fuzzer design
1.7.
Our hypervisor design
1.8.
What this class is NOT
1.9.
Demo: our hypervisor fuzzer
1.10.
Why hypervisor for fuzzing
1.11.
UEFI applications
1.12.
Rust🦀
1.13.
Classification of hypervisors
1.14.
Hypervisor vs host, VM vs guest
1.15.
Types of hypervisors
2.
Hypervisor setup and operation cycle
❱
2.1.
Hypervisor setup and operation cycle
2.2.
(1) Enable: System software enables HW VT and becomes a hypervisor
2.3.
(2) Set up: The hypervisor creates and sets up a "context structure" representing a guest
2.4.
(3) Switch to: The hypervisor asks the processor to load the context structure into hardware-registers and start running in guest-mode
2.5.
(4) Return from: The processor switches back to the host-mode on certain events in the guest-mode
2.6.
(5) Handle: The hypervisor typically emulates the event and does (3), repeating the process
2.7.
Our goals and exercises in this chapter
2.8.
Testing with Bochs
2.9.
Exercise preparation: Building and running the hypervisor, and navigating code
2.10.
Exercise preparation: Code annotations and solutions
2.11.
E#1: Enabling VMX/SVM
2.12.
E#2: Settings up the VMCS/VMCB
2.13.
E#3: Configuring guest state in the VMCS/VMCB
2.14.
Deeper look into guest-mode transition
2.15.
Causes of VM exits
2.16.
Another hypervisor design: Deprivileging current execution context
3.
Memory virtualization
❱
3.1.
Memory virtualization
3.2.
Terminologies
3.3.
x64 traditional paging
3.4.
Nested paging
3.5.
Relation to hypervisor
3.6.
Nested page fault
3.7.
Nested paging structure entries
3.8.
10000 feet-view comparison of traditional and nested paging
3.9.
Our goals and exercises in this chapter
3.10.
E#4 Enabling nested paging
3.11.
E#5 Building nested paging structures and GPA -> PA translation
3.12.
E#6 Implement copy-on-write and fast memory revert mechanism
3.13.
Advanced topics
4.
VM introspection for fuzzing
❱
4.1.
Problem 1: Unnecessary code execution
4.2.
Introduction to patching
4.3.
Our Design
4.4.
Demo: end marker
4.5.
Exception interception
4.6.
Exception handling
4.7.
Our goals and exercises in this chapter
4.8.
E#7 Enabling #UD exception interception
4.9.
Problem 2: Cannot tell efficacy of corpus and mutation
4.10.
Basic-block coverage tracking through patches
4.11.
Demo: coverage tracking
4.12.
E#8 Enabling #BP interception and coverage tracking
4.13.
Catching possible bugs
5.
Conclusion
❱
5.1.
Wrap up🎉
5.2.
What's next
5.3.
Resources
5.4.
Thank you!
Light
Rust
Coal
Navy
Ayu
Hypervisor 101 in Rust
Advanced topics
Cache management (ie, TLB invalidation)
Memory types and virtualizing them
Advanced features: MBEC/GMET, HLAT, DMA protection