HyperMirage: Direct State Manipulation in Hybrid Virtual CPU Fuzzing
Manuel Andreas
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
Hypervisors form the cornerstone of cloud security, and while fuzzing has proven effective at finding bugs in device virtualization interfaces, the **virtual CPU (vCPU) component** -- typically implemented in kernel space and thus more security-critical -- has received far less attention. This talk introduces **HyperMirage**, a hybrid fuzzing approach that uses **direct state manipulation** to make a hypervisor handle VM exits that never actually occurred, combined with a novel **bare-metal symbolic execution** runtime built on **SIMCC**. The result is a fuzzer that achieves nearly **100x throughput improvement** over prior art, covers the **majority of VM exit handlers** (not just a manually-selected subset), and discovered **11 new bugs** in Xen and KVM, including **4 CVEs** with security-critical impact.
AI review
A hypervisor fuzzing framework that solves the fundamental bottleneck in virtual CPU security testing: the manual effort required to craft valid VM states for each exit reason. Direct state manipulation makes the hypervisor handle artificial VM exits with arbitrary state, achieving 100x throughput over prior art, covering the majority of VM exit handlers, and finding 4 CVEs in battle-tested Xen and KVM. The bare-metal SIMCC runtime for symbolic execution is a reusable contribution. One CVE was only discoverable by violating known architectural constraints.