Empirical Notes on the Interaction Between Continuous Kernel Fuzzing and Development

TL;DR

This paper examines the practical aspects of continuous kernel fuzzing across four open source kernels, revealing insights into bug types, resolution times, and the effectiveness of code review in fixing fuzzing-induced bugs.

Contribution

It provides empirical data on bug resolution, bug types, and the impact of code review in continuous kernel fuzzing, highlighting differences between Linux and BSD kernels.

Findings

Over 800 unresolved crashes reported by syzkaller/syzbot.

BSD kernels resolve fuzzing bugs more rapidly.

Majority of Linux kernel bugs are assertions, use-after-frees, and protection faults.

Abstract

Fuzzing has been studied and applied ever since the 1990s. Automated and continuous fuzzing has recently been applied also to open source software projects, including the Linux and BSD kernels. This paper concentrates on the practical aspects of continuous kernel fuzzing in four open source kernels. According to the results, there are over 800 unresolved crashes reported for the four kernels by the syzkaller/syzbot framework. Many of these have been reported relatively long ago. Interestingly, fuzzing-induced bugs have been resolved in the BSD kernels more rapidly. Furthermore, assertions and debug checks, use-after-frees, and general protection faults account for the majority of bug types in the Linux kernel. About 23% of the fixed bugs in the Linux kernel have either went through code review or additional testing. Finally, only code churn provides a weak statistical signal for explaining the associated bug fixing times in the Linux kernel.