Industrial Vision Systems and Defect Detection
Open access
Abstract
Abstract
A hypervisor (also know as virtual machine monitor, VMM) enforces the security boundaries between different virtual machines (VMs) running on the same physical machine. A malicious user who is able to run her own kernel on a cloud VM can interact with a large variety of attack surfaces. Exploiting a software fault in any of these surfaces leads to full access to all other VMs that are co-located on the same host. Hence, the efficient detection of hypervisor vulnerabilities is crucial for the security of the modern cloud infrastructure. Recent work showed that blind fuzzing is the most efficient approach to identify security issues in hypervisors, mainly due to an outstandingly high test throughput. In this paper we present the design and implementation of NYX, a highly optimized, coverage-guided hypervisor fuzzer. We show how a fast snapshot restoration mechanism that allows us to reload the system under test thousands of times per second is key to performance. Furthermore, we introduce a novel mutation engine based on custom bytecode programs, encoded as directed acyclic graphs (DAG), and affine types, that enables the required flexibility to express complex interactions. Our evaluation shows that, while NYX has a lower throughput than the state-of-the-art hypervisor fuzzer, it performs competitively on simple targets: NYX typically requires only a few minutes longer to achieve the same test coverage. On complex devices, however, our approach is able to significantly outperform existing works. Moreover, we are able to uncover substantially more bugs: in total, we uncovered 44 new bugs with 22 CVEs requested. Our results demonstrate that coverage guidance is highly valuable, even if a blind fuzzer can be significantly faster.
Direct answer
What can I do from this paper page?
Use this page to scan "Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types" quickly: start with the summary and abstract, then check the authors, source, topics, and related papers. From here, open Scollr to follow Industrial Vision Systems and Defect Detection research, save the paper, or map adjacent work.
Research areas
Follow related topics
Citation
BibTeX
@article{Schumilo2026Greybox,
title = {Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types},
author = {Sergej Schumilo and Cornelius Aschermann and Ali Abbasi and Simon Wörner and Thorsten Holz},
journal = {CISPA Helmholtz Center},
year = {2026},
doi = {10.60882/cispa.32772093},
url = {https://doi.org/10.60882/cispa.32772093}
}FAQ
Using this paper in a discovery workflow
How do I find related work for this paper?
Use the related papers and topic links on this page as starting points. In Scollr, you can also open the paper and build a literature map around its references, citing papers, and related work.
How can I keep up with new Industrial Vision Systems and Defect Detection research papers?
Follow Industrial Vision Systems and Defect Detection research in Scollr. New papers from the topic flow into a personalized feed, and you can save useful studies to revisit later.
Can I cite this paper from this page?
This page includes a static BibTeX block for Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types. Always verify the DOI, source, and publication details against the publisher record before submitting a manuscript.
Follow this research in Scollr
Follow the topics and authors behind this paper, save useful studies, and build a literature map when you are ready to go deeper.
Get the app