A kafl based fuzzer for the kernel components of Hyper-V.
The fuzzer is designed to find vulnerabilities in the Hyper-V host components (ultimately finding a VM escape).
Nested virtualization: physical ubuntu machine running (L0) running a QEMU Windows "host" VM (L1), which runs a Hyper-V Windows "guest" VM (L2).
- kafl
- generating inputs.
- transerring inputs to L1.
- collecting L1 kernel code coverage.
- Agent (C) <TODO: add name>
- receiving inputs from L0.
- tranferring inputs to L2.
- HyperVPatcher (C driver)
- patching L1 kernel to clear background noise.
- PSAgent (powershell)
- receiving inputs from L1.
- sending IOCTLs to HyperVAgent.
- HyperVAgent (C driver)
- receiving IOCTLs from PSAgent.
- triggering code in L1 kernel (e.g. by VMBUS, port io).
The fuzzer can be adapted to target the Hyper-V components of the guest machine, possibly leading to privilege escalation on Hyper-V VMs.
Copyright (c) 2023 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see LICENSE for more details.
For more comments, suggestions, or questions, you can contact Or Ben Porath (@OrBenPorath) and CyberArk Labs (@CyberArkLabs).
