SyzRetrospector: A Large-Scale Retrospective Study of Syzbot

TL;DR

This study introduces SyzRetrospector, a tool that analyzes the performance of Syzbot in finding Linux kernel bugs, revealing that bugs are often hidden for long periods and that current metrics are insufficient for evaluation.

Contribution

We developed SyzRetrospector to accurately measure bug discovery timelines and applied it to analyze 559 bugs, uncovering hidden delays and revealing factors affecting bug discovery.

Findings

Average bug hiding time is 331 days before detection.

Current metrics like time-to-find are inaccurate for evaluation.

Bugs vary in revealability based on location and other factors.

Abstract

Over the past 6 years, Syzbot has fuzzed the Linux kernel day and night to report over 5570 bugs, of which 4604 have been patched [11]. While this is impressive, we have found the average time to find a bug is over 405 days. Moreover, we have found that current metrics commonly used, such as time-to-find and number of bugs found, are inaccurate in evaluating Syzbot since bugs often spend the majority of their lives hidden from the fuzzer. In this paper, we set out to better understand and quantify Syzbot's performance and improvement in finding bugs. Our tool, SyzRetrospector, takes a different approach to evaluating Syzbot by finding the earliest that Syzbot was capable of finding a bug, and why that bug was revealed. We use SyzRetrospector on a large scale to analyze 559 bugs and find that bugs are hidden for an average of 331.17 days before Syzbot is even able to find them. We further present findings on the behaviors of revealing factors, how some bugs are harder to reveal than others, the trends in delays over the past 6 years, and how bug location relates to delays. We also provide key takeaways for improving Syzbot's delays.