A Study on Fuzzing the Linux Kernel Networking Subsystem Using Syzkaller

In this study, we employ the kernel fuzzer Syzkaller to fuzz the Linux kernel’s network subsystem and analyze the results to understand why achieving high code coverage remains challenging. Based on the analysis, we propose several methods to improve fuzzing effectiveness. In the first experiment, fuzzing is conducted with restrictions allowing only system calls and parameters related to TCP and IPv4 sockets. In the second experiment, the scope is extended to include all system calls supported by Syzkaller. In the first experiment, a TCP connection was successfully established approximately 55 hours after the start of fuzzing. In the second experiment, while overall code coverage and the coverage of the routing subsystem improved compared to the first, a TCP connection could not be established. This is attributed to the difficulty in the client randomly guessing the server’s IP address and port number, a process that inherently consumes significant time and thus impedes connection establishment. Furthermore, this study proposes several approaches to enhance the efficiency of fuzzing the Linux kernel network subsystem using Syzkaller, including hybrid fuzzing techniques to facilitate TCP connection establishment, enabling IP packet forwarding, and conducting fuzzing without packet descriptions.