Zezhong Ren (University of Chinese Academy of Sciences; EPFL), Han Zheng (EPFL), Zhiyao Feng (EPFL), Qinying Wang (EPFL), Marcel Busch (EPFL), Yuqing Zhang (University of Chinese Academy of Sciences), Chao Zhang (Tsinghua University), Mathias Payer (EPFL)
Kernel fuzzing effectively uncovers vulnerabilities. While existing kernel fuzzers primarily focus on maximizing code coverage, coverage alone does not guarantee thorough exploration. Moreover, existing fuzzers, aimed at maximizing coverage, have plateaued. This pressing situation highlights the need for a new direction: code frequency-oriented kernel fuzzing. However, increasing the exploration of low-frequency kernel code faces two key challenges: (1) Resource constraints make it hard to schedule sufficient tasks for low-frequency regions without causing task explosion. (2) Random mutations often break context dependencies of syscalls targeting low-frequency regions, reducing the effectiveness of fuzzing.
In our paper, we first perform a fine-grained study of imbalanced code coverage by evaluating Syzkaller in the Linux kernel and, as a response, propose SYSYPHUZZ, a kernel fuzzer designed to boost exploration of under-tested code regions. SYSYPHUZZ introduces Selective Task Scheduling to dynamically prioritize and manage exploration tasks, avoiding task explosion. It also employs Context-Preserving Mutation strategy to reduce the risk of disrupting important execution contexts. We evaluate SYSYPHUZZ against the state-of-the-art (SOTA) kernel fuzzers, Syzkaller and SyzGPT. Our results show that SYSYPHUZZ significantly reduces the number of under-explored code regions and discovers 31 unique bugs missed by Syzkaller and 27 bugs missed by SyzGPT. Moreover, SYSYPHUZZ finds five bugs missed by Syzbot, which continuously runs on hundreds of virtual machines, demonstrating SYSYPHUZZ’s effectiveness. To evaluate SYSYPHUZZ’s enhancement to SOTA fuzzers, we integrate it with SyzGPT, yielding SyzGPTsysy, which finds 33% more exclusive bugs, highlighting SYSYPHUZZ’ potential. All discovered vulnerabilities have been responsibly disclosed to the Linux maintainers. We release the source code of SYSYPHUZZ at https://github.com/HexHive/Sysyphuzz and are trying to upstream it to Syzkaller.