Home

syzkaller

Syzkaller is an open-source, coverage-guided fuzzer for operating-system kernels, originally developed by Google. It automatically generates and mutates sequences of system calls, executes them inside a kernel sandbox, and uses code coverage feedback to guide exploration. Its primary purpose is to discover security vulnerabilities and stability issues in kernel code, including memory-safety bugs such as use-after-free and null dereferences.

The fuzzer operates on programs that describe sequences of system calls and their arguments. It maintains a

Syzkaller is composed of several components, including a coordinating manager and one or more executors that

Although optimized for Linux, syzkaller has been ported to other kernels with additional syscall definitions and

corpus
of
such
programs
and
mutates
them
to
create
new
test
cases,
while
constraints
ensure
calls
remain
valid
and
resources
are
allocated
appropriately.
Each
test
runs
against
a
target
kernel
in
a
controlled
environment,
such
as
a
virtual
machine
or
container.
Kernel
instrumentation
reports
coverage
back
to
the
fuzzer,
which
uses
this
feedback
to
steer
further
mutations
toward
less-covered
code
paths,
increasing
the
likelihood
of
revealing
bugs.
run
on
hosts.
It
includes
crash
triage
and
repro
workflows
to
collect
crash
dumps
and
reproduce
findings.
In
practice,
the
ecosystem
often
integrates
with
a
syzbot
service
that
automatically
runs
fuzzing
against
a
repository,
triages
crashes,
and
posts
reproducible
issues
for
kernel
maintainers.
instrumentation.
It
has
had
a
notable
impact
on
kernel
security
research,
contributing
to
the
discovery
and
reproduction
of
numerous
vulnerabilities
and
informing
fuzzing
practices
in
the
broader
ecosystem.