Modern fuzzing is a highly successful testing method, but it still struggles with stateful software that expects complex, context-rich inputs. Instead of further tuning the fuzzing process itself, we introduce VMIGEN, a new approach that captures interactions by implicitly recording both complex inputs and the corresponding system states needed for effective testing. By using Virtual Machine Introspection (VMI), a technique for observing the state and behavior of a VM from the outside, we can monitor actual runtime events for a given system. This way, we can extract concrete inputs and snapshot the whole system at relevant interactions to preserve the full system state, thereby enabling effective fuzzing. At the same time, our approach does not require access to source code, allowing us to test closed-source software on Windows. To demonstrate VMIGEN's effectiveness, we use it to test kernel drivers, including those of anti-virus engines, and Remote Procedure Call (RPC) interfaces. Our comprehensive evaluation shows that our VMI-based method enables an existing fuzzer to achieve up to 6.6x more code coverage. In total, VMIGEN allowed us to discover 33 previously unknown bugs, which we disclosed in a coordinated way to the affected vendors.
2025 IEEE Annual Computer Security Applications Conference (ACSAC)
2025-12-12
2026-06-25