Fuzzing/reverse engineering virtual machines

I'm a beginner/intermediate at reverse engineering and I’m trying to make the leap to expert. I want to do a project on virtual machines specifically escaping them and was wondering if fuzzing could be applied to them. Such as fuzzing the networking and I/O devices inside the VM, then evaluate the results. Would this be a valid way of finding vulnerabilities in VM’s?

Also how would I go about debugging a VM and hypervisor?

I'm hopefully looking for references and good pointers.

Excellent just what I was looking for thanks. Another question would be how to debug things like vbox and qemu, would this be done in the开发者_Python百科 virtual machine or the host, or are there tools provided? That is the only part I'm not sure about.

You need to read the following paper:

Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, 2007.

That paper describes how Tavis Ormandy fuzz-tested a variety of virtual machines and reports on his results. He found a number of serious security vulnerabilities. Basically, he did everything it sounds like you want to do -- so you should start by reading to see what he did and what you can learn from it.

Such as fuzzing the networking and I/O devices inside the VM, then evaluate the results. Would this be a valid way of finding vulnerabilities in VM’s?

Sure why not, just find some component with a big domain of inputs and fuzz away. Be sure to attack something that actually requires a physical device such as disk, video, networking etc, because those are guaranteed to be implemented by the VM on the host in some stupid language like C or C++.

There are a bunch of papers/slides from blackhat/defcon conferences on this topic, I can't remember any in particular though, see for yourself.

As an added step to Longpoke and D.W.'s answers, perhaps you'd want to take a look at tools like kemufuzzer. It provides a gdb backend to interact with VMware's builtin debugger, which you can also extend.

This is a relatively less mature field in information security, so you may end up having to implement most of your toolbox - though in most cases you can do with extending already existing tools.