Thunderkaller: Profiling and Improving the Performance of Syzkaller

Thunderkaller: Profiling and Improving the Performance of Syzkaller

연구 분야: Strategies

학회: ASE '23: Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering

Fuzzing is widely adopted to discover vulnerabilities in software, including the kernel. One of the most popular and state-of-the-art fuzzers for kernels is Syzkaller. However, Syzkaller has a much lower testing throughput compared to other user-space fuzzers, which affects the efficiency of both Syzkaller and other Syzkaller-based fuzzers. In this paper, we profiled the performance of Syzkaller, recognized that the major cost comes from program isolation and kernel instrumentation, and then proposed kernel image duplication and three optimization techniques to mitigate such overheads and present the solution Thunderkaller. Our solution does not change or depend on the fuzzing algorithm in any way, orthogonal to other refinements to Syzkaller. Our evaluation shows that, in 24 hours, Thunderkaller speeds up 2.8× compared to vanilla Syzkaller, achieves 25.8% more basic block coverage, detects 21 more unique bugs, and triggers the common bugs 6.3× faster. In a long time of fuzzing, we have found 6 unique Linux kernel bugs and obtained a CVE.