Empirical Notes on the Interaction Between Continuous Kernel Fuzzing and Development
This study provides empirical insights into fuzzing effectiveness for developers and maintainers of open source kernels, though it is incremental in nature.
The paper analyzed continuous kernel fuzzing in four open source kernels, finding over 800 unresolved crashes and noting that bugs were resolved more rapidly in BSD kernels, with 23% of fixed Linux kernel bugs undergoing code review or additional testing.
Fuzzing has been studied and applied ever since the 1990s. Automated and continuous fuzzing has recently been applied also to open source software projects, including the Linux and BSD kernels. This paper concentrates on the practical aspects of continuous kernel fuzzing in four open source kernels. According to the results, there are over 800 unresolved crashes reported for the four kernels by the syzkaller/syzbot framework. Many of these have been reported relatively long ago. Interestingly, fuzzing-induced bugs have been resolved in the BSD kernels more rapidly. Furthermore, assertions and debug checks, use-after-frees, and general protection faults account for the majority of bug types in the Linux kernel. About 23% of the fixed bugs in the Linux kernel have either went through code review or additional testing. Finally, only code churn provides a weak statistical signal for explaining the associated bug fixing times in the Linux kernel.