How Kernel Fuzzing Uncovers Hidden OS Vulnerabilities: Techniques & Tools

Preface

Fuzz testing (Fuzz Testing), also known as random or collision testing, originated in the 1990s by Professor Barton Miller at the University of Wisconsin. It automatically generates random, abnormal, and boundary-case inputs to repeatedly execute a program, aiming to trigger exceptions and uncover hidden vulnerabilities.

Fundamental Concepts

Typical fuzzing tools consist of three designs: dynamic execution feedback for guiding seed selection, seed selection strategies, and seed mutation strategies. Using AFL as an example, feedback relies on edge coverage, seed selection employs genetic algorithms, and mutation includes bit/byte flips, boundary value replacement, and insertion/deletion. Linux fork’s copy‑on‑write accelerates iteration.

Kernel Fuzzing Techniques

Applying fuzzing to kernels is attractive due to large code bases and high analysis cost. The overall steps resemble traditional fuzzing—monitoring, input generation, and selection—but each step must be tailored to kernel specifics.

Input Generation and Mutation

Kernel inputs differ from user‑space programs; they may involve system calls, ioctl commands, or file system images. Tools such as Syzkaller generate system‑call sequences, DIFUZE analyzes driver interfaces to craft ioctl commands, JANUS mutates file‑system images, and KRACE focuses on concurrent system‑call sequences to expose data races.

Execution Monitoring

Coverage feedback is obtained via kcov or sanitizer tools (KASAN, KUBASAN, KMemLeak). For closed‑source kernels, approaches include QEMU‑mode AFL, TriforceAFL, and hardware‑assisted tracing such as Intel PT used by kAFL to produce AFL bitmap feedback.

Execution Iteration

Kernel fuzzing requires repeated execution in a virtual environment (QEMU, KVM). Syzkaller compiles an instrumented kernel, boots it in a VM, and interacts via syz‑manager to drive test iterations.

Summary

Kernel fuzzing builds on classic AFL ideas but requires specialized designs for input generation, feedback, and iteration. Researchers have created diverse tools—Syzkaller, kAFL, UnicornFuzz, JANUS, KRACE, and others—to target specific kernel components and vulnerability classes, improving efficiency and coverage.

References

https://mp.weixin.qq.com/s/E5uiBKX_7I85W6Rc8rceiQ

https://mp.weixin.qq.com/s/vkoGnElvC8RMDpuj-AdbfA

https://mp.weixin.qq.com/s/HZ1BFtGwvf9A0pP-d5_LMw

https://mp.weixin.qq.com/s/icCFCvFOOgquvw96GjXSKw

Corina, Jake, et al. “Difuze: Interface aware fuzzing for kernel drivers.” 2017 ACM SIGSAC.

Xu, Wen, et al. “Fuzzing file systems via two‑dimensional input space exploration.” 2019 IEEE S&P.

Xu, Meng, et al. “Krace: Data race fuzzing for kernel file systems.” 2020 IEEE S&P.

Chen, Weiteng, et al. “Syzgen: Automated generation of syscall specification of closed‑source macOS drivers.” 2021 ACM CCS.

Choi, Jaeseung, et al. “NTFuzz: Enabling type‑aware kernel fuzzing on Windows with static binary analysis.” 2021 IEEE S&P.

Pandey, Pallavi, et al. “Triforce QNX Syscall Fuzzer.” 2019 IEEE ISSREW.

Schumilo, Sergej, et al. “kAFL: Hardware‑Assisted feedback fuzzing for OS kernels.” USENIX Security 2017.

Cui, Baojiang, et al. “ADDFuzzer: A New Fuzzing Framework of Android Device Drivers.” 2015 BWCCA.

Maier, D., Radtke, B., Harren, B. “Unicorefuzz: On the viability of emulation for kernel‑space fuzzing.” 2019.