Fuzz Testing of the Linux Kernel Integrating Dependency Inference and Weight Optimization

ZHANG Yi; WANG Yu; WANG Linzhang

doi:10.12263/DZXB.20251150

您当前的位置：

首页 >

文章列表页 >

Fuzz Testing of the Linux Kernel Integrating Dependency Inference and Weight Optimization

\‌Research Progress on Ubiquitous Operating Systems and Environments for Human\-Cyber\-Physical Integrated Scenarios | 更新时间：2026-06-17

- Fuzz Testing of the Linux Kernel Integrating Dependency Inference and Weight Optimization
- ACTA ELECTRONICA SINICA Vol. 54, Issue 4, Pages: 1629-1650(2026)
- 作者机构：
  
  1.计算机软件新技术全国重点实验室，江苏南京 210023
  2.南京大学计算机学院，江苏南京 210023
  3.软件新技术与产业化协同创新中心，江苏南京 210023
- 作者简介：
- 基金信息：
  
  Fundamental and Interdisciplinary Disciplines Breakthrough Plan of the Ministry of Education of China(JYB2025XDXM118);National Key Research and Development Program(2024YFB2505604);National Natural Science Foundation of China under Grant(62232001;62172200)
- DOI：10.12263/DZXB.20251150
  CLC： TP311.5;
- Received：06 February 2026，
  
  Accepted：30 March 2026，
  
  Published：25 April 2026
- 稿件说明：
移动端阅览
张弋, 王豫, 王林章. 融合依赖推断与权重优化的Linux内核模糊测试[J]. 电子学报, 2026, 54(04): 1629-1650.

ZHANG Yi, WANG Yu, WANG Linzhang. Fuzz Testing of the Linux Kernel Integrating Dependency Inference and Weight Optimization[J]. Acta Electronica Sinica, 2026, 54(04): 1629-1650.
张弋, 王豫, 王林章. 融合依赖推断与权重优化的Linux内核模糊测试[J]. 电子学报, 2026, 54(04): 1629-1650. DOI：10.12263/DZXB.20251150

ZHANG Yi, WANG Yu, WANG Linzhang. Fuzz Testing of the Linux Kernel Integrating Dependency Inference and Weight Optimization[J]. Acta Electronica Sinica, 2026, 54(04): 1629-1650. DOI：10.12263/DZXB.20251150

摘要

在面向人机物融合场景的泛在操作系统中，内核的稳定性与安全性是支撑多元化应用和异构资源融合的基础。Linux内核作为当前具有代表性的操作系统内核之一，因规模庞大、逻辑复杂而容易产生缺陷，且运行在最高特权级，漏洞一旦被利用，将对泛在计算环境中的系统安全和应用可靠性造成严重威胁。模糊测试作为当前主流的内核漏洞挖掘方法，通常将系统调用序列作为测试用例输入，这些用例可以通过随机生成或在现有序列基础上变异得到。然而，随机组合不仅容易引发状态空间爆炸，还可能导致测试效率和漏洞发现能力难以保障。尽管已有研究尝试提升测试用例的有效性，但在系统调用依赖分析方面仍存在信息不完整、粒度不精细、利用率偏低、开销过高等问题，从而限制了模糊测试的有效性。对此，本文设计了一种融合依赖推断与权重优化的内核模糊测试机制。该方法首先通过静态分析Linux内核的源码，从中识别每个系统调用所涉及的资源和它们的访问特征；随后依据这些信息推导不同系统调用之间可能存在的依赖联系，并以此构造系统调用依赖图。模糊测试过程在该依赖图的指导下进行，以生成更具价值的测试用例。另外，通过收集运行阶段的反馈数据，对依赖图中边的权重不断进行调整，使其逐步反映更精确的调用关系，从而持续推动模糊测试效果的提升。本文基于该方法实现了原型工具SDKernelFuzzing，在4个不同版本的Linux内核上进行实验。与Moonshine相比，本文所提的方法在保持较低额外开销的前提下，能够更加高效地生成数量更丰富、内容更完整的系统调用依赖信息，从而构建出更加全面的依赖图。此外，相较于Syzkaller以及目前的最新相关研究，本文提出的方法在代码覆盖率和漏洞挖掘能力上均展现出明显优势。在相同实验环境下，该方法的平均代码覆盖率比最佳基线方案提升了7.69%，而发现的平均缺陷数量则提升了15.77%。消融实验结果表明，系统调用依赖图中不同的构建策略对模糊测试性能均产生了显著的影响。

Abstract

In ubiquitous operating systems for human-machine-object integrated scenarios

the stability and security of the kernel form the foundation for supporting diversified applications and heterogeneous resource integration. As one of the most representative operating system kernels today

the Linux kernel is prone to defects due to its large scale and complex logic. Running at the highest privilege level

any exploited vulnerability could seriously threaten system security and application reliability in ubiquitous computing environments. Fuzzing

as the most mainstream method for discovering kernel vulnerabilities

typically uses sequences of system calls as test case inputs. These test cases can be randomly generated or derived by mutating existing sequences. However

random combinations not only easily lead to state space explosion but also result in low testing efficiency and limited vulnerability discovery capability. Although existing studies have attempted to improve the effectiveness of test cases

issues remain in system call dependency analysis

including incomplete information

coarse granularity

low utilization

and high overhead

which in turn limit the effectiveness of fuzzing. To enhance the effectiveness of kernel fuzzing

this paper introduces a testing framework that fuses dependency inference with weight optimization. The core idea of this approach is to conduct static analysis on the Linux kernel source code to identify the resources accessed by each system call and characterize their access patterns. Based on this information

potential dependency relationships among system calls are inferred

and a corresponding dependency graph is constructed. The fuzzing process is then guided by this graph to generate more effective test cases. In addition

feedback collected during runtime is used to continuously update the weights of the graph’s edges

enabling the dependency graph to increasingly reflect accurate call relationships and thereby further improving the overall fuzzing performance. Based on this method

a prototype tool named SDKernelFuzzing was implemented

and experiments were conducted on four different versions of the Linux kernel. Compared with Moonshine

the proposed approach can generate system-call dependency information that is both more comprehensive and richer in content

while incurring only minimal additional overhead

thereby enabling the construction of a more complete dependency graph. In addition

relative to Syzkaller and other state-of-the-art techniques

our method demonstrates significant advantages in both code coverage and bug-finding capability. Under identical experimental conditions

the average code coverage achieved by our method exceeds the best baseline by 7.69%

and the average number of detected bugs increases by 15.77%. Ablation experiment results show that different construction strategies of system call dependence graph have a significant impact on fuzzing performance.

关键词

Keywords

references

涂序文 , 王晓锋 , 甘水滔 , 等 . Diskaller: 基于覆盖率制导的操作系统内核漏洞并行挖掘模型 [J ] . 信息安全学报 , 2019 , 4 ( 2 ): 69 - 82 .

Tu Xuwen , Wang Xiaofeng , Gan Shuitao , et al . Diskaller: Kernel vulnerability parallel mining model based on coverage guidance [J ] . Journal of Cyber Security , 2019 , 4 ( 2 ): 69 - 82 . (in Chinese)

熊忻 , 谈心 , 张源 . 基于错误路径行为一致性的内核引用计数缺陷检测 [J ] . 计算机研究与发展 , 2023 , 60 ( 7 ): 1489 - 1500 .

Xiong Xin , Tan Xin , Zhang Yuan . Kernel refcount bug detection based on the consistency of error path behavior [J ] . Journal of Computer Research and Development , 2023 , 60 ( 7 ): 1489 - 1500 . (in Chinese)

Renzelmann M J , Kadav A , Swift M M . SymDrive: Testing drivers without devices [C ] // Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation . Berkeley : USENIX Association , 2012 : 279 - 292 .

Machiry A , Spensky C , Corina J , et al . DR. CHECKER: A soundy analysis for Linux kernel drivers [C ] // Proceedings of the 26th USENIX Security Symposium . Berkeley : USENIX Association , 2017 : 1007 - 1024 .

Corina J , Machiry A , Salls C , et al . DIFUZE: Interface aware fuzzing for kernel drivers [C ] // Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2017 : 2123 - 2138 . DOI: 10.1145/3133956.3134069 http://dx.doi.org/10.1145/3133956.3134069

Bai J J , Wang Y P , Lawall J , et al . DSAC: Effective static analysis of sleep-in-atomic-context bugs in kernel modules [C ] // Proceedings of the USENIX Annual Technical Conference . Berkeley : USENIX Association , 2018 : 587 - 599 .

Song C Y , Lee B , Lu K J , et al . Enforcing kernel security invariants with data flow integrity [C/OL ] // Proceedings of the Network and Distributed System Security Symposium , 2016 . https://doi.org/10.14722/ndss.2016.23218 https://doi.org/10.14722/ndss.2016.23218 .

Erickson J , Musuvathi M , Burckhardt S , et al . Effective data-race detection for the kernel [C ] // Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation . Berkeley : USENIX Association , 2010 : 151 - 162 . DOI: 10.1109/msp.2010.134 http://dx.doi.org/10.1109/msp.2010.134

Zhan D Y , Yu X Z , Zhang H L , et al . ErrHunter: Detecting error-handling bugs in the Linux kernel through systematic static analysis [J ] . IEEE Transactions on Software Engineering , 2023 , 49 ( 2 ): 684 - 698 . DOI: 10.1109/tse.2022.3160155 http://dx.doi.org/10.1109/tse.2022.3160155

郑臣明 , 姚宣霞 , 周芳 , 等 . 基于硬件虚拟化的云服务器设计与实现 [J ] . 工程科学学报 , 2022 , 44 ( 11 ): 1935 - 1945 .

Zheng Chenming , Yao Xuanxia , Zhou Fang , et al . Design and implementation of a cloud server based on hardware virtualization [J ] . Chinese Journal of Engineering , 2022 , 44 ( 11 ): 1935 - 1945 . (in Chinese)

Tan X , Zhang Y , Lu J D , et al . SyzDirect: Directed greybox fuzzing for Linux kernel [C ] // Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2023 : 1630 - 1644 . DOI: 10.1145/3576915.3623146 http://dx.doi.org/10.1145/3576915.3623146

Vyukov D , Konovalov A . Syzkaller: An unsupervised coverage-guided kernel fuzzer [EB/OL ] . [ 2026-01-22 ] . https://github.com/google/syzkaller https://github.com/google/syzkaller .

Pailoor S , Aday A , Jana S . Moonshine: Optimizing OS fuzzer seed selection with trace distillation [C ] // Proceedings of the 27th USENIX Security Symposium . Berkeley : USENIX Association , 2018 : 729 - 743 .

Yang C Y , Zhao Z J , Zhang L M . KernelGPT: Enhanced kernel fuzzing via large language models [C ] // Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2025 : 560 - 573 . DOI: 10.1145/3676641.3716022 http://dx.doi.org/10.1145/3676641.3716022

Jeong D R , Kim K , Shivakumar B , et al . Razzer: Finding kernel race bugs through fuzzing [C ] // IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2019 : 754 - 768 .

Kim K , Jeong D R , Kim C H , et al . HFL: Hybrid fuzzing on the Linux kernel [C ] // Proceedings of the Network and Distributed Systems Security . San Diego : Internet Society , 2020 : 24018 . DOI: 10.14722/ndss.2020.24018 http://dx.doi.org/10.14722/ndss.2020.24018

Chen W T , Hao Y , Zhang Z , et al . SyzGen++: Dependency inference for augmenting kernel driver fuzzing [C ] // Proceedings of the IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2024 : 4661 - 4677 . DOI: 10.1109/sp54263.2024.00269 http://dx.doi.org/10.1109/sp54263.2024.00269

Han H , Cha S K . IMF: Inferred model-based fuzzer [C ] // Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2017 : 2345 - 2358 . DOI: 10.1145/3133956.3134103 http://dx.doi.org/10.1145/3133956.3134103

Lu S B , Lin Z H , Zhang M . Kernel vulnerability analysis: A survey [C ] // Proceedings of the IEEE Fourth International Conference on Data Science in Cyberspace . Piscataway : IEEE , 2019 : 549 - 554 . DOI: 10.1109/dsc.2019.00089 http://dx.doi.org/10.1109/dsc.2019.00089

Li D , Chen H . FastSyzkaller: Improving fuzz efficiency for Linux kernel fuzzing [J ] . Journal of Physics: Conference Series , 2019 , 1176 ( 2 ): 022013 . DOI: 10.1088/1742-6596/1176/2/022013 http://dx.doi.org/10.1088/1742-6596/1176/2/022013

Torvalds L , Triplett J , Li C , et al . Sparse [EB/OL ] . [ 2026-01-22 ] . https://sparse.docs.kernel.org/en/latest/ https://sparse.docs.kernel.org/en/latest/ .

Brown N . Smatch: Pluggable static analysis for C [EB/OL ] . [ 2026-01-22 ] . https://lwn.net/Articles/691882/ https://lwn.net/Articles/691882/ .

De S C , Wall J , Martinez T , et al . Coccinelle: A program matching and transformation tool for systems code [EB/OL ] . [ 2026-01-22 ] . https://coccinelle.gitlabpages.inria.fr/website/ https://coccinelle.gitlabpages.inria.fr/website/ .

Vaughan-Nichols S . Commit 1 million: The history of the Linux kernel [EB/OL ] . [ 2026-01-22 ] . https://www.zdnet.com/article/commit-1-million-the-history-of-the-linux-kernel/ https://www.zdnet.com/article/commit-1-million-the-history-of-the-linux-kernel/ .

Black Duck Software , Inc . Coverity Scan: Static analysis [EB/OL ] . [ 2026-01-22 ] . https://scan.coverity.com/ https://scan.coverity.com/ .

石剑君 , 计卫星 , 石峰 . 操作系统内核并发错误检测研究进展 [J ] . 软件学报 , 2021 , 32 ( 7 ): 2016 - 2038 .

Shi Jianjun , Ji Weixing , Shi Feng . Recent progress of concurrency bug detection in operating system kernels [J ] . Journal of Software , 2021 , 32 ( 7 ): 2016 - 2038 . (in Chinese)

Zhang B W , Chen W , Yao P S , et al . SIRO: Empowering version compatibility in intermediate representations via program synthesis [C ] // Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2024 : 882 - 899 . DOI: 10.1145/3620666.3651366 http://dx.doi.org/10.1145/3620666.3651366

Engler D , Ashcraft K . RacerX: Effective, static detection of race conditions and deadlocks [C ] // Proceedings of the 19th ACM Symposium on Operating Systems Principles . New York : ACM , 2003 : 237 - 252 . DOI: 10.1145/945445.945468 http://dx.doi.org/10.1145/945445.945468

Wang X , Chen H G , Jia Z H , et al . Improving integer security for systems with KINT [C ] // Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation . Berkeley : USENIX Association , 2012 : 163 - 177 .

Xu M , Qian C X , Lu K J , et al . Precise and scalable detection of double-fetch bugs in OS kernels [C ] // IEEE Symposium on Security and Privacy . Piscataway : IEEE , 2018 : 661 - 678 .

Bai J J , Lawall J , Chen Q L , et al . Effective static analysis of concurrency use-after-free bugs in Linux device drivers [C ] // Proceedings of the USENIX Annual Technical Conference . Berkeley : USENIX Association , 2019 : 255 - 268 .

钱振江 , 刘永俊 , 姚宇峰 , 等 . 微内核架构内存管理的形式化设计和验证方法研究 [J ] . 电子学报 , 2017 , 45 ( 1 ): 251 - 256 .

Qian Zhenjiang , Liu Yongjun , Yao Yufeng , et al . Research on method of formal design and verification of memory management based on microkernel architecture [J ] . Acta Electronica Sinica , 2017 , 45 ( 1 ): 251 - 256 . (in Chinese)

Cai Y D , Zhang C . A cocktail approach to practical call graph construction [J ] . Proceedings of the ACM on Programming Languages , 2023 , 7 (OOPSLA 2 ): 1001 - 1033 . DOI: 10.1145/3622833 http://dx.doi.org/10.1145/3622833

Sui Y L , Ye D , Xue J L . Static memory leak detection using full-sparse value-flow analysis [C ] // Proceedings of the 2012 International Symposium on Software Testing and Analysis . New York : ACM , 2012 : 254 - 264 . DOI: 10.1145/2338965.2336784 http://dx.doi.org/10.1145/2338965.2336784

Shi Q K , Xiao X , Wu R X , et al . Pinpoint: Fast and precise sparse value flow analysis for million lines of code [C ] // Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation . New York : ACM , 2018 : 693 - 706 . DOI: 10.1145/3192366.3192418 http://dx.doi.org/10.1145/3192366.3192418

Sui Y L , Xue J L . SVF: Interprocedural static value-flow analysis in LLVM [C ] // Proceedings of the 25th International Conference on Compiler Construction . New York : ACM , 2016 : 265 - 266 . DOI: 10.1145/2892208.2892235 http://dx.doi.org/10.1145/2892208.2892235

Wang J Y , Wang Y , Wang K , et al . SILVA: A scalable incremental layered sparse value-flow analysis [J ] . ACM Transactions on Software Engineering and Methodology , 2025 , 34 ( 8 ): 1 - 40 . DOI: 10.1145/3725214 http://dx.doi.org/10.1145/3725214

Liang H L , Pei X X , Jia X D , et al . Fuzzing: State of the art [J ] . IEEE Transactions on Reliability , 2018 , 67 ( 3 ): 1199 - 1218 . DOI: 10.1109/tr.2018.2834476 http://dx.doi.org/10.1109/tr.2018.2834476

Manès V J M , Han H , Han C , et al . The art, science, and engineering of fuzzing: A survey [J ] . IEEE Transactions on Software Engineering , 2021 , 47 ( 11 ): 2312 - 2331 . DOI: 10.1109/tse.2019.2946563 http://dx.doi.org/10.1109/tse.2019.2946563

Miller B P , Fredriksen L , So B . An empirical study of the reliability of UNIX utilities [J ] . Communications of the ACM , 1990 , 33 ( 12 ): 32 - 44 . DOI: 10.1145/96267.96279 http://dx.doi.org/10.1145/96267.96279

Liu J Z , Shen Y H , Xu Y R , et al . Leveraging binary coverage for effective generation guidance in kernel fuzzing [C ] // Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2024 : 3763 - 3777 . DOI: 10.1145/3658644.3690232 http://dx.doi.org/10.1145/3658644.3690232

Song D , Hetzelt F , Das D , et al . PeriScope: An effective probing and fuzzing framework for the hardware-OS boundary [C ] // Proceedings of the Network and Distributed Systems Security . San Diego : Internet Society , 2019 : 23176 . DOI: 10.14722/ndss.2019.23176 http://dx.doi.org/10.14722/ndss.2019.23176

郑浩然 , 白家驹 , 张涔 , 等 . 一种基于推断-验证模式的内核数据竞争检测方法 [J ] . 电子学报 , 2025 , 53 ( 10 ): 3593 - 3607 .

Zheng Haoran , Bai Jiaju , Zhang Cen , et al . A kernel data race detection method based on inference-verification mode [J ] . Acta Electronica Sinica , 2025 , 53 ( 10 ): 3593 - 3607 . (in Chinese)

曹鹤玲 , 刘昱 , 韩栋 . 基于自注意力机制神经机器翻译的软件缺陷自动修复方法 [J ] . 电子学报 , 2024 , 52 ( 3 ): 945 - 956 .

Cao Heling , Liu Yu , Han Dong . Self-attention neural machine translation for automatic software repair [J ] . Acta Electronica Sinica , 2024 , 52 ( 3 ): 945 - 956 . (in Chinese)

苏越阳 , 姚迪 , 毕经平 . 基于噪声标签重加权的车辆轨迹异常检测方法 [J ] . 电子学报 , 2025 , 53 ( 1 ): 182 - 192 .

Su Yueyang , Yao Di , Bi Jingping . A vehicle trajectory anomaly detection method based on noise label re-weighting [J ] . Acta Electronica Sinica , 2025 , 53 ( 1 ): 182 - 192 . (in Chinese)

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Python Semantic Fuzzing Solution for API Interaction

Security Testing Method for Unmanned Aerial Vehicle Flight Control System Supporting Physical Interaction

SOArTester:An Automatic Composite Service Testing System Based on Test Case Reduction

A Lightweight Trajectory Prediction Model with a Spatio-Temporal Factorized Encoder and a Heterogeneous Decoder

Demodulation Method for Starlink Signals Based on Correlation and Clustering

Related Author

SU Purui

LI Zhenghao

JIA Xiangkun

WANG Jigang

YAN Xincheng

XI Ning

ZHOU Xiao-lin

SUN Cong

Related Institution

School of Cyber Science and Engineering, Southeast University

ZTE Corporation

Key Laboratory of System Software (Chinese Academy of Sciences)

Institute of Software, Chinese Academy of Sciences

University of Chinese Academy of Sciences

⁰