FastSyzkaller: Improving Fuzz Efficiency for Linux Kernel Fuzzing

Linux is one of the most popular operating systems and enjoys a large number of subscribers on a world-wide scale. To ensure its stability and reliability, fuzzing is an effective method to trigger crashes hidden in the Linux kernel. In this paper, we apply N-Gram model to extract vulnerable program behaviours and dig out vulnerable patterns to guide the test case generation phase of the traditional fuzzing technique so as to improve the fuzzing efficiency from the Linux system call aspect. The experiment is implemented on the basis of a Google well-known open-source project Syzkaller, a fuzzer that targeted to the Linux kernel and other OS kernels as well. It is an unsupervised coverage-guided kernel fuzzer, set up with a manager, a fuzzer and an executor. This paper proposes FastSyzkaller which combines Syzkaller with N-Gram model in its fuzzer to optimize the test case generation process to improve the fuzzing efficiency. In 4 weeks, FastSyzkaller exposes 29 different crash types. However, Syzkaller only exposes 12 types. FastSyzkaller also produces crashes 3x faster than Syzkaller, also with 3x more unique crashes from the quantity perspective.

[1]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[2]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[3]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.