Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SyzParam: Introducing Runtime Parameters into Kernel Driver Fuzzing

Yue Sun, Yan Kang, Chenggang Wu, Kangjie Lu, Jiming Wang, Xingwei Li, Yuhao Hu, Jikai Ren, Yuanming Lai, Mengyao Xie, Zhe Wang

TL;DR

SyzParam addresses the underexplored impact of runtime parameters on Linux kernel driver execution by introducing a two-stage framework that first derives valid parameter values and device-driver relations from static analysis and sysfs, then fuses these insights into the fuzzing loop via pseudo-syscalls and a parameter-aware mutation strategy. It identifies and extracts 1,243 device attributes and 694 kernel module parameters, builds a device relation tree, and links parameter files to drivers to guide targeted mutations. Empirically, SyzParam achieves up to a 32.57% average gain in edge coverage over Syzkaller on eight drivers, and discovers 30 new bugs, with 14 fixed upstream and 9 CVEs assigned, demonstrating complementary gains to existing fuzzing approaches. The work highlights the practical security impact of runtime parameter-aware fuzzing and lays groundwork for more precise, reproducible kernel testing by leveraging device topology and timing of parameter modifications.

Abstract

This paper introduces a novel fuzzing framework, SyzParam which incorporates runtime parameters into the fuzzing process. Achieving this objective requires addressing several key challenges, including valid value extraction, inter-device relation construction, and fuzz engine integration. By inspecting the data structures and functions associated with the LKDM, our tool can extract runtime parameters across various drivers through static analysis. Additionally, SyzParam collects inter-device relations and identifies associations between runtime parameters and drivers. Furthermore, SyzParam proposes a novel mutation strategy, which leverages these relations and prioritizes parameter modification during related driver execution. Our evaluation demonstrates that SyzParam outperforms existing fuzzing works in driver code coverage and bug-detection capabilities. To date, we have identified 30 unique bugs in the latest kernel upstreams, with 20 confirmed and 14 patched into the mainline kernel, including 9 CVEs.

SyzParam: Introducing Runtime Parameters into Kernel Driver Fuzzing

TL;DR

SyzParam addresses the underexplored impact of runtime parameters on Linux kernel driver execution by introducing a two-stage framework that first derives valid parameter values and device-driver relations from static analysis and sysfs, then fuses these insights into the fuzzing loop via pseudo-syscalls and a parameter-aware mutation strategy. It identifies and extracts 1,243 device attributes and 694 kernel module parameters, builds a device relation tree, and links parameter files to drivers to guide targeted mutations. Empirically, SyzParam achieves up to a 32.57% average gain in edge coverage over Syzkaller on eight drivers, and discovers 30 new bugs, with 14 fixed upstream and 9 CVEs assigned, demonstrating complementary gains to existing fuzzing approaches. The work highlights the practical security impact of runtime parameter-aware fuzzing and lays groundwork for more precise, reproducible kernel testing by leveraging device topology and timing of parameter modifications.

Abstract

This paper introduces a novel fuzzing framework, SyzParam which incorporates runtime parameters into the fuzzing process. Achieving this objective requires addressing several key challenges, including valid value extraction, inter-device relation construction, and fuzz engine integration. By inspecting the data structures and functions associated with the LKDM, our tool can extract runtime parameters across various drivers through static analysis. Additionally, SyzParam collects inter-device relations and identifies associations between runtime parameters and drivers. Furthermore, SyzParam proposes a novel mutation strategy, which leverages these relations and prioritizes parameter modification during related driver execution. Our evaluation demonstrates that SyzParam outperforms existing fuzzing works in driver code coverage and bug-detection capabilities. To date, we have identified 30 unique bugs in the latest kernel upstreams, with 20 confirmed and 14 patched into the mainline kernel, including 9 CVEs.
Paper Structure (32 sections, 9 figures, 6 tables, 1 algorithm)

This paper contains 32 sections, 9 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Linux Kernel Fuzzing
  4. Existing Fuzzing Works on Linux Drivers
  5. The Linux Kernel Device Model
  6. Motivation
  7. The Impact of Runtime Parameters
  8. Motivated Example
  9. Design
  10. Overview
  11. Value Collection
  12. Store function identification
  13. Valid Values Extraction.
  14. Relation Identification
  15. Device Relation Tree Construction.
  16. ...and 17 more sections

Figures (9)

  • Figure 1: The workflow of Syzkaller. The mutator in syz-manager is responsible for generating and mutating test cases, while syz-executor is responsible for executing syscalls and collecting coverage feedback.
  • Figure 2: An example of syzlang provided by Syzkaller. Syzlangs are declarative descriptions of syscall interfaces to manipulate programs, which will be used to generate, mutate, execute, minimize, serialize, and deserialize programs.
  • Figure 3: An illustration of how runtime parameters affect kernel driver execution through sysfs. The red blocks represent the runtime parameters, and the orange blocks represent the device driver. Both user space and hardware can trigger code execution through blue arrows, and runtime parameters will influence the control flow through red arrows.
  • Figure 4: An example of a runtime parameter and how it influences the driver execution.
  • Figure 5: PoC and call stacks related to CVE-2021-47375. The upper half is the proof-of-concept to trigger the bug, while the lower half depicts the root cause of it.
  • ...and 4 more figures