TY - GEN
T1 - Optimizing Input Minimization in Kernel Fuzzing
AU - Guo, Hui
AU - Sun, Hao
AU - Huang, Shan
AU - Su, Ting
AU - Pu, Geguang
AU - Li, Shaohua
N1 - Publisher Copyright:
© 2025 by The USENIX Association. All rights reserved.
PY - 2025
Y1 - 2025
N2 - >Ensuring the reliability and security of an operating system (OS) kernel is a critical and challenging task. To this end, coverage-guided kernel fuzzing has been employed as an effective technique for finding kernel bugs. Specifically, in kernel fuzzing, input minimization is one critical stage to provide short, coverage-preserving seeds for improving the efficacy of fuzzing. However, we observe that the cost of the minimization - taking over half of the fuzzing resources - significantly limits the potential of kernel fuzzing. To the best of our knowledge, no prior work explores and mitigates the preceding problem in kernel fuzzing. To this end, we introduce and design two general and novel optimization strategies - influence-guided call removal and type-informed argument simplification - for reducing the minimization cost. The key idea of these two strategies is to reduce the number of dynamic program executions needed for verifying whether the new coverage achieved by the inputs is always preserved. We optimized the input minimization stage by our strategies in Syzkaller, the most popular and representative kernel fuzzer, resulting in a prototype named SyzMini. Our evaluation shows that SyzMini can significantly reduce the minimization cost by 60.7%. Moreover, SyzMini improves branch coverage by 12.5%, and finds 1.7~2X more unique bugs. On the latest upstream kernel version, Syzmini has found 13 previously unknown bugs, all of which have been confirmed and four have already been fixed. Our optimization strategies also show the general applicability for improving the effectiveness of other kernel fuzzers. We have made our implementation of SyzMini publicly available at [1].
AB - >Ensuring the reliability and security of an operating system (OS) kernel is a critical and challenging task. To this end, coverage-guided kernel fuzzing has been employed as an effective technique for finding kernel bugs. Specifically, in kernel fuzzing, input minimization is one critical stage to provide short, coverage-preserving seeds for improving the efficacy of fuzzing. However, we observe that the cost of the minimization - taking over half of the fuzzing resources - significantly limits the potential of kernel fuzzing. To the best of our knowledge, no prior work explores and mitigates the preceding problem in kernel fuzzing. To this end, we introduce and design two general and novel optimization strategies - influence-guided call removal and type-informed argument simplification - for reducing the minimization cost. The key idea of these two strategies is to reduce the number of dynamic program executions needed for verifying whether the new coverage achieved by the inputs is always preserved. We optimized the input minimization stage by our strategies in Syzkaller, the most popular and representative kernel fuzzer, resulting in a prototype named SyzMini. Our evaluation shows that SyzMini can significantly reduce the minimization cost by 60.7%. Moreover, SyzMini improves branch coverage by 12.5%, and finds 1.7~2X more unique bugs. On the latest upstream kernel version, Syzmini has found 13 previously unknown bugs, all of which have been confirmed and four have already been fixed. Our optimization strategies also show the general applicability for improving the effectiveness of other kernel fuzzers. We have made our implementation of SyzMini publicly available at [1].
UR - https://www.scopus.com/pages/publications/105011600304
M3 - 会议稿件
AN - SCOPUS:105011600304
T3 - Proceedings of the 2025 USENIX Annual Technical Conference, ATC 2025
SP - 1451
EP - 1465
BT - Proceedings of the 2025 USENIX Annual Technical Conference, ATC 2025
PB - USENIX Association
T2 - 2025 USENIX Annual Technical Conference, ATC 2025
Y2 - 7 July 2025 through 9 July 2025
ER -