A Survey of Operating System Kernel Fuzzing

TL;DR

This paper systematically reviews OS kernel fuzzing, highlighting unique challenges, summarizing 107 studies from 2017-2025, and proposing a new taxonomy and research directions to advance kernel security.

Contribution

It provides the first comprehensive analysis of kernel fuzzing, introduces a stage-based model and taxonomy, and identifies research gaps and future directions.

Findings

Summarized 107 academic studies on kernel fuzzing (2017-2025).

Proposed a stage-based fuzzing model and a taxonomy of kernel fuzzing functionalities.

Identified key challenges and future research directions in kernel security.

Abstract

The Operating System (OS) kernel is foundational in modern computing, especially with the proliferation of diverse computing devices. However, its development also comes with vulnerabilities that can lead to severe security breaches. Kernel fuzzing, a technique used to uncover these vulnerabilities, poses distinct challenges when compared to user-space fuzzing. These include the complexity of configuring the testing environment and addressing the statefulness inherent to both the kernel and the fuzzing process. Despite the significant interest from the community, a comprehensive understanding of kernel fuzzing remains lacking, hindering further progress in the field. In this paper, we present the first systematic study focused specifically on OS kernel fuzzing. We begin by outlining the unique challenges of kernel fuzzing, which distinguish it from those in user space. Following this, we summarize the progress of 107 academic studies from top-tier venues between 2017 and 2025. To structure this analysis, we introduce a stage-based fuzzing model and a novel fuzzing taxonomy that highlights nine core functionalities unique to kernel fuzzing. Each of these functionalities is examined in conjunction with the methodological approaches employed to address them. Finally, we identify remaining gaps in addressing challenges and outline promising directions to guide forthcoming research in kernel security.