SyzLego: Enhancing Kernel Directed Greybox Fuzzing via Dependency Inference and Scheduling

The security of the kernel is crucial for the operating system (OS) and all user applications. Directed greybox fuzzing (DGF) is an efficient method for testing specific target sites in programs. Unlike conventional user-space application fuzzing, kernel directed fuzzing requires generating the correct sequence of syscalls and fulfilling their arguments appropriately in order to test the target site. However, the current neglect of implicit dependencies between syscalls makes fuzzing inefficient. In addition, the task scheduling, not suitable for DGF in the kernel, hinders the speed of reaching the target site. To address these challenges, we present SyzLego, a general DGF solution for Linux kernel. SyzLego leverages a novel static analysis to enhance syscall dependency inference and adjust task scheduling for DGF. SyzLego first extracts nested function pointers and applies a type-matching instruction filter to infer implicit dependencies between functions. It then combines these implicit dependencies to enhance syscall dependency inference and adjusts task scheduling to suit DGF. We implement SyzLego and evaluate it against the state-of-the-art SyzDirect using a dataset of known bugs. The results demonstrate that SyzLego outperforms SyzDirect, achieving an average speedup of 2.94 and a maximum speedup of 22.46 across all reached target sites.