hyper-cube - ndss symposium
TRANSCRIPT
![Page 1: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/1.jpg)
Hyper-Cube
High-Dimensional Hypervisor FuzzingSergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz
Chair for Systems Security Ruhr-Universität Bochum
![Page 2: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/2.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 3: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/3.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 4: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/4.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 5: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/5.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 6: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/6.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 7: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/7.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 8: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/8.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 9: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/9.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 10: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/10.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 11: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/11.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 12: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/12.jpg)
VM 1 VM 2
Hypervisor
Motivation
MaliciousGuest(Privileged;RunninginRing-0)
LocalVMDoS(CrashorDeadlock)
VirtualMachineDoS(CrashorDeadlock)
VirtualMachineEscape(OtherGuest)
HostDoS(KernelPanicorDeadlock)
VirtualMachineEscape(Host)
![Page 13: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/13.jpg)
Challenge
Fuzzer of your Choice Target SoftwareUser Space FuzzingHypervisor Fuzzing
![Page 14: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/14.jpg)
Challenge
Fuzzer of your Choice
Target SoftwareUser Space FuzzingHypervisor Fuzzing
![Page 15: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/15.jpg)
Challenge
Fuzzer of your Choice Target Software
User Space FuzzingHypervisor Fuzzing
![Page 16: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/16.jpg)
Challenge
Fuzzer of your Choice Target Software
User Space FuzzingHypervisor Fuzzing
![Page 17: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/17.jpg)
Challenge
Fuzzer of your Choice Target Software
User Space Fuzzing
Hypervisor Fuzzing
![Page 18: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/18.jpg)
Challenge
Fuzzer of your Choice Target SoftwareUser Space Fuzzing
Hypervisor Fuzzing
![Page 19: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/19.jpg)
Attack Surface
![Page 20: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/20.jpg)
Hypervisor Attack Surface
Guest Hypervisor
Code...
mov cr4, 0xAF...
HypervisorCore
Privileged Instructions
① Emulation Request
② Return to Guest
Trap and Emulate
VM Exit
• Memory-Mapped I/O (MMIO)
• Legacy Port I/O (PIO)
• Direct Memory Access (DMA)
• Hypercalls
• ...
![Page 21: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/21.jpg)
Hypervisor Attack Surface
Guest Hypervisor
Code...
mov cr4, 0xAF...
HypervisorCore
Privileged Instructions
① Emulation Request
② Return to Guest
Trap and Emulate
VM Exit
• Memory-Mapped I/O (MMIO)
• Legacy Port I/O (PIO)
• Direct Memory Access (DMA)
• Hypercalls
• ...
![Page 22: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/22.jpg)
Hypervisor Attack Surface
Guest Hypervisor
Code...
mov cr4, 0xAF...
HypervisorCore
Privileged Instructions
① Emulation Request
② Return to Guest
Trap and Emulate
VM Exit
• Memory-Mapped I/O (MMIO)
• Legacy Port I/O (PIO)
• Direct Memory Access (DMA)
• Hypercalls
• ...
![Page 23: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/23.jpg)
Hypervisor Attack Surface
Guest Hypervisor
Code...
mov cr4, 0xAF...
HypervisorCore
Privileged Instructions
① Emulation Request
② Return to Guest
Trap and Emulate
VM Exit
• Memory-Mapped I/O (MMIO)
• Legacy Port I/O (PIO)
• Direct Memory Access (DMA)
• Hypercalls
• ...
![Page 24: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/24.jpg)
Implementation
![Page 25: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/25.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 26: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/26.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 27: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/27.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VM
Hyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 28: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/28.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 29: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/29.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 30: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/30.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 31: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/31.jpg)
Design Goals
• Blackbox Fuzzing with High Througput
• High-Dimensional in Terms of
➤ Interfaces
➤ Operations
• x86 Hypervisor Agnostic
Our Approach
Hypervisor
VMHyper-CubeOS
InterfaceEnumeration
PCI Devices
ISA Devices
HPET
PIC
APIC
Chipset
MSR
Hypercalls
TesseractInterpreter
![Page 32: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/32.jpg)
Tesseract Handlers
write_mmio
read_mmio
vmportxor_mmiobruteforce_mmio
memset_mmio
writes_mmio
reads_mmio
mmio_write_scratch_ptr
write_io
read_io xor_io
bruteforce_io
memset_io
writes_ioreads_io
io_write_scratch_ptr
write_msr
kvm_hypercall
![Page 33: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/33.jpg)
Tesseract Interpreter
2fff 1c27 ab47 5700 adf2 3d60 092f 5488 ec2d 9d1a 029d 56fd e0d1 a275 1f56 1d28 ea78 a2fa db07 d60d 1288 3a5a 91f9 1756 1cae 31ad 9b9c 938e 2a33 f597 6615 e267 0117 1f16 b440 8a86 9154 5b55 e4ca 9e3d 9d19 ae79 efac e500 8cdf 8c00 9a83 df76 91fe d779 026c 2e2b 9137 1ef8 eea3 d29c 1789 5938 a36f 718a 81e4 678c 20f5 fa0b 774d 07f1 cee3 62bc d845 bc86 7631 6eac
0120:0128:0130:0138:0140:0148:0150:0158:0160:0168:0170:0178:0180:0188:0190:0198:01a0:01a8:
...
...
PRNG Stream
Robust Interpretation
vmport(0xbd4,0x10ea)memset_io(0x426,0xce0,0x9dc,0xca8)
writes_mmio(0xec8,0xad,0x10ac,0x7e9)
bruteforce_mmio(0xce4,0xdfa,0xe31,0x322)
writes_io(0x4bb,0xb8,0xeb1,0x401)
memset_mmio(0x128,0xa73,0x2b3,0xa84) read_mmio(0xbf3,0x907)
bruteforce_io(0x5c4,0x49a,0x94f,0xb1c)
xor_mmio(0x54b,0xa00,0xb51)
Opcode Handler
![Page 34: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/34.jpg)
Tesseract Interpreter
2fff 1c27 ab47 5700 adf2 3d60 092f 5488 ec2d 9d1a 029d 56fd e0d1 a275 1f56 1d28 ea78 a2fa db07 d60d 1288 3a5a 91f9 1756 1cae 31ad 9b9c 938e 2a33 f597 6615 e267 0117 1f16 b440 8a86 9154 5b55 e4ca 9e3d 9d19 ae79 efac e500 8cdf 8c00 9a83 df76 91fe d779 026c 2e2b 9137 1ef8 eea3 d29c 1789 5938 a36f 718a 81e4 678c 20f5 fa0b 774d 07f1 cee3 62bc d845 bc86 7631 6eac
0120:0128:0130:0138:0140:0148:0150:0158:0160:0168:0170:0178:0180:0188:0190:0198:01a0:01a8:
...
...
PRNG Stream
Robust Interpretation
vmport(0xbd4,0x10ea)memset_io(0x426,0xce0,0x9dc,0xca8)
writes_mmio(0xec8,0xad,0x10ac,0x7e9)
bruteforce_mmio(0xce4,0xdfa,0xe31,0x322)
writes_io(0x4bb,0xb8,0xeb1,0x401)
memset_mmio(0x128,0xa73,0x2b3,0xa84) read_mmio(0xbf3,0x907)
bruteforce_io(0x5c4,0x49a,0x94f,0xb1c)
xor_mmio(0x54b,0xa00,0xb51)
Opcode Handler
![Page 35: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/35.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 36: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/36.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 37: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/37.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 38: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/38.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 39: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/39.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 40: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/40.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 41: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/41.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 42: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/42.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 43: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/43.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 44: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/44.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 45: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/45.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 46: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/46.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 47: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/47.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 48: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/48.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 49: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/49.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 50: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/50.jpg)
Evaluation
Tested Hypervisors
KVM/QEMU
Intel ACRN
VMware Fusion
Parallels Desktop (14.1.3)
FreeBSD bhyve
VirtualBox
(12.0-RELEASE)
(5.1.37_Ubuntu r122592)
(4.0.1-rc4)
(29360 Build)
(11.0.3)
Results
Assert Failures 25
Null-Pointer Dereferences 13
Memory-Corruptions 8
Div-By-Zero (FP Exceptions) 5
Deadlocks 4
55Bugs
Case Study: bhyve
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071FreeBSD Kernel Denial of Service via Privileged Guest
CVE Rediscovery
CVE-2015-3456VENOM Vulnerability
TCG Mode: 5.8 sec
(average time in seconds over 20 runs each )
KVM Mode: 49.7 sec
Hyper-Cube vs. VDF
VDF: Targeted Evolutionary Fuzz Testing of Virtual DevicesRAID 2017: Research in Attacks, Intrusions, and Defenses
• AFL-based Fuzzing Approach
• Fuzzing of Specific Device Emulators
Fuzzing 15 Device Emulators (QEMU-2.5.0)
Hyper-Cube vs. VDF
VDF
HYPERCUBE
13/15 More Coverage
2/15 More Coverage
9/15 Crashed
4/15 Crashed
10 Minutes Each
≈ 60 Days Each
![Page 51: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/51.jpg)
Conclusion
Conclusion
• Outperforms Coverage-Guided Fuzzers
• Full-System Fuzzing
• Novel Technique to Fuzz Hypervisors
![Page 52: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/52.jpg)
Conclusion
Conclusion
• Outperforms Coverage-Guided Fuzzers
• Full-System Fuzzing
• Novel Technique to Fuzz Hypervisors
![Page 53: Hyper-Cube - NDSS Symposium](https://reader034.vdocuments.us/reader034/viewer/2022042408/625e63a5fa354108112fd17e/html5/thumbnails/53.jpg)
Thank You!
Q & A