Towards Large Language Model Guided Kernel Direct Fuzzing
Xie Li, Zhaoyue Yuan, Zhenduo Zhang, Youcheng Sun, Lijun Zhang
TL;DR
Direct kernel fuzzing faces challenges from OS complexity and frequent kernel updates. The authors propose SyzAgent, an LLM-guided extension to Syzkaller, enabling real-time guidance for test-case generation, mutation, and triage via static analysis, call-graph-based targeting, and feedback prompts. The system introduces Pre-Processor, Static Analyzer, Address Extractor, and LLM-Interface to build a call-graph-informed seed set and adapt fuzzing policy, achieving about 67% improvement across 27 target functions in preliminary experiments and showing the ability to break the standard coverage plateau. While promising, the work is early and highlights future directions, including more advanced static analyses, richer relational graphs, and tighter integration with argument mutation to improve system-call generation validity and kernel coverage.
Abstract
Direct kernel fuzzing is a targeted approach that focuses on specific areas of the kernel, effectively addressing the challenges of frequent updates and the inherent complexity of operating systems, which are critical infrastructure. This paper introduces SyzAgent, a framework that integrates LLMs with the state-of-the-art kernel fuzzer Syzkaller, where the LLMs are used to guide the mutation and generation of test cases in real-time. We present preliminary results demonstrating that this method is effective on around 67\% cases in our benchmark during the experiment.