Some interesting papers & projects
VDF is a targeted evolutionary fuzzing framework for discovering bugs within the software-based virtual devices implemented as part of a hypervisor, which selectively instruments the code of a given virtual device, and performs record and replay of memory-mapped I/O (MMIO) activity specific to the virtual device.
Hyper-Cube is a fuzzer that aims explicitly at testing hypervisors in an efficient, effective, and precise way, which is based on a custom operating system that implements a custom bytecode interpreter.
NYX is a highly optimized, coverage-guided hypervisor fuzzer, whose fast snapshot restoration mechanism can reload the system under test thousands of times per second is key to performance. NYX's mutation engine based on custom bytecode programs, encoded as directed acyclic graphs (DAG), and affine types, that enables the required flexibility to express complex interactions.
V-Shuttle is a hypervisor fuzzing framework aiming the vitual device, whose DMA redirection mechanism and the fuzzing mutation scheduling mechanism make fuzzing scalable and semantics-aware.
Morphuzz is a generic approach that leverages insights about hypervisor design combined with coverage-guided fuzzing to find bugs in virtual device implementations.
Mundofuzz develops a statistical differential coverage measurement methods to capture the clean coverage information for hypervisor inputs and learns the input grammar through inspecting the coverage characteristics of the given hypervisor inputs.
Hyperfuzzer develops hybrid fuzzer towards Virtual CPU, which based on Hyper-V. HyperFuzzer leverages Intel-PT to record the control flow of hypervisor, and introduces a novel technique called Nimble Symbolic Execution which relies on the only control flow trace and the fuzzing input to perform symbolic execution. Hyperfuzzer also use unrealated constraint elimination and bit-wise symbolic variebles to get high efficiency.