{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T00:39:50Z","timestamp":1767314390997,"version":"3.48.0"},"publisher-location":"Singapore","reference-count":54,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819535507","type":"print"},{"value":"9789819535514","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-981-95-3551-4_21","type":"book-chapter","created":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T00:36:09Z","timestamp":1767314169000},"page":"301-315","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Survey of\u00a0Kernel Fuzzing"],"prefix":"10.1007","author":[{"given":"Wenyu","family":"Zhen","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Minhuan","family":"Huang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiang","family":"Li","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuanping","family":"Nie","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lang","family":"Chu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuxian","family":"Wan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,1,2]]},"reference":[{"key":"21_CR1","unstructured":"Kernel address sanitizer (kasan) \u2014 the linux kernel documentation. https:\/\/www.kernel.org\/doc\/html\/latest\/dev-tools\/kasan.html"},{"key":"21_CR2","unstructured":"Kernel concurrency sanitizer (kcsan) \u2014 the linux kernel documentation. https:\/\/docs.kernel.org\/dev-tools\/kcsan.html"},{"key":"21_CR3","unstructured":"Krace: Data race fuzzing for kernel file systems | IEEE conference publication | IEEE xplore. https:\/\/ieeexplore.ieee.org\/abstract\/document\/9152693"},{"key":"21_CR4","unstructured":"libfuzzer \u2013 a library for coverage-guided fuzz testing. \u2014 LLVM 20.0.0git documentation. https:\/\/llvm.org\/docs\/LibFuzzer.html"},{"key":"21_CR5","unstructured":"The linux kernel archives. https:\/\/www.kernel.org\/"},{"key":"21_CR6","unstructured":"Nccgroup\/triforcelinuxsyscallfuzzer: A linux system call fuzzer using triforceafl. https:\/\/github.com\/nccgroup\/TriforceLinuxSyscallFuzzer"},{"key":"21_CR7","unstructured":"Qemu. https:\/\/www.qemu.org\/"},{"key":"21_CR8","unstructured":"S2e\/s2e: S2e: A platform for multi-path program analysis with selective symbolic execution. https:\/\/github.com\/S2E\/s2e"},{"key":"21_CR9","unstructured":"Syzbot. https:\/\/syzkaller.appspot.com\/linux-6.1"},{"key":"21_CR10","unstructured":"Syzkaller\/docs\/syscall_descriptions.md at master $$\\cdot $$ google\/syzkaller. https:\/\/github.com\/google\/syzkaller\/blob\/master\/docs\/syscall_descriptions.md"},{"key":"21_CR11","unstructured":"Google\/syzkaller. Google (2024). https:\/\/github.com\/google\/syzkaller"},{"key":"21_CR12","unstructured":"Google\/AFL. Google (2025). https:\/\/github.com\/google\/AFL"},{"key":"21_CR13","doi-asserted-by":"publisher","unstructured":"Bulekov, A., Das, B., Hajnoczi, S., Egele, M.: No grammar, no problem: towards fuzzing the linux kernel without system-call descriptions (2023). https:\/\/doi.org\/10.14722\/ndss.2023.24688","DOI":"10.14722\/ndss.2023.24688"},{"key":"21_CR14","doi-asserted-by":"crossref","unstructured":"Chen, W., et al.: Syzgen++: dependency inference for augmenting kernel driver fuzzing (2024)","DOI":"10.1109\/SP54263.2024.00269"},{"key":"21_CR15","doi-asserted-by":"publisher","unstructured":"Chen, W., Wang, Y., Zhang, Z., Qian, Z.: Syzgen: automated generation of syscall specification of closed-source macos drivers. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 749\u2013763. ACM, Virtual Event Republic of Korea (2021). https:\/\/doi.org\/10.1145\/3460120.3484564","DOI":"10.1145\/3460120.3484564"},{"key":"21_CR16","unstructured":"Cho, M., An, D., Jin, H., Kwon, T.: Bokasan: Binary-only kernel address sanitizer for effective kernel fuzzing (2023)"},{"key":"21_CR17","doi-asserted-by":"publisher","unstructured":"Choi, J., Kim, K., Lee, D., Cha, S.K.: Ntfuzz: enabling type-aware kernel fuzzing on windows with static binary analysis (2021). https:\/\/doi.org\/10.1109\/SP40001.2021.00114","DOI":"10.1109\/SP40001.2021.00114"},{"key":"21_CR18","doi-asserted-by":"publisher","unstructured":"Corina, J., et al.: Difuze: interface aware fuzzing for kernel drivers (2017). https:\/\/doi.org\/10.1145\/3133956.3134069","DOI":"10.1145\/3133956.3134069"},{"key":"21_CR19","unstructured":"Fleischer, M., et al.: Actor: action-guided kernel fuzzing (2023)"},{"key":"21_CR20","doi-asserted-by":"publisher","unstructured":"Han, H., Cha, S.K.: IMF: inferred model-based fuzzer. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2345\u20132358. ACM, Dallas Texas USA (2017). https:\/\/doi.org\/10.1145\/3133956.3134103","DOI":"10.1145\/3133956.3134103"},{"key":"21_CR21","doi-asserted-by":"publisher","unstructured":"Hao, Y., et al.: Syzdescribe: principled, automated, static generation of syscall descriptions for kernel drivers. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 3262\u20133278. IEEE, San Francisco, CA, USA (2023). https:\/\/doi.org\/10.1109\/SP46215.2023.10179298","DOI":"10.1109\/SP46215.2023.10179298"},{"key":"21_CR22","unstructured":"HardenedVault: Vaultfuzzer: A state-based approach for linux kernel. https:\/\/hardenedvault.net\/blog\/2021-09-13-vaultfuzzer\/"},{"key":"21_CR23","doi-asserted-by":"publisher","unstructured":"Huster, S., Hollick, M., Classen, J.: To boldly go where no fuzzer has gone before: finding bugs in linux\u2019 wireless stacks through virtio devices. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 4629\u20134645. IEEE, San Francisco, CA, USA (2024). https:\/\/doi.org\/10.1109\/SP54263.2024.00024","DOI":"10.1109\/SP54263.2024.00024"},{"key":"21_CR24","doi-asserted-by":"publisher","unstructured":"Jeong, D.R., Kim, K., Shivakumar, B., Lee, B., Shin, I.: Razzer: finding kernel race bugs through fuzzing. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 754\u2013768. IEEE, San Francisco, CA, USA (2019). https:\/\/doi.org\/10.1109\/SP.2019.00017","DOI":"10.1109\/SP.2019.00017"},{"key":"21_CR25","doi-asserted-by":"publisher","unstructured":"Jeong, D.R., Lee, B., Shin, I., Kwon, Y.: Segfuzz: segmentizing thread interleaving to discover kernel concurrency bugs through fuzzing. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2104\u20132121. IEEE, San Francisco, CA, USA (2023). https:\/\/doi.org\/10.1109\/SP46215.2023.10179398","DOI":"10.1109\/SP46215.2023.10179398"},{"key":"21_CR26","unstructured":"Jones, D.: Kernelslacker\/trinity (2025). https:\/\/github.com\/kernelslacker\/trinity"},{"key":"21_CR27","doi-asserted-by":"publisher","unstructured":"Kim, K., Jeong, D.R., Kim, C.H., Jang, Y., Shin, I., Lee, B.: HFL: hybrid fuzzing on the linux kernel. In: Proceedings 2020 Network and Distributed System Security Symposium. Internet Society, San Diego, CA (2020). https:\/\/doi.org\/10.14722\/ndss.2020.24018","DOI":"10.14722\/ndss.2020.24018"},{"key":"21_CR28","doi-asserted-by":"publisher","unstructured":"Kim, K., et al.: Fuzzusb: hybrid stateful fuzzing of USB gadget stacks. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 2212\u20132229 (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833593","DOI":"10.1109\/SP46214.2022.9833593"},{"key":"21_CR29","unstructured":"Kim, S.Y.: Cab-fuzz: practical concolic testing techniques for cots operating systems (2017)"},{"key":"21_CR30","doi-asserted-by":"crossref","unstructured":"Lee, G., Xu, D., Salimi, S.: Syzrisk: a change-pattern-based continuous kernel regression fuzzer (2024)","DOI":"10.1145\/3634737.3637642"},{"key":"21_CR31","doi-asserted-by":"publisher","unstructured":"Lin, Z., et al.: Grebe: unveiling exploitation potential for linux kernel bugs (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833683","DOI":"10.1109\/SP46214.2022.9833683"},{"key":"21_CR32","doi-asserted-by":"publisher","unstructured":"Liu, Z., Chen, C., Ahmed, E., Zhang, J., Liu, D.: Winkfuzz: model-based script synthesis for fuzzing. In: Proceedings of the Third International Symposium on Advanced Security on Software and Systems, pp. 1\u201312. ACM, Melbourne VIC Australia (2023). https:\/\/doi.org\/10.1145\/3591365.3592946","DOI":"10.1145\/3591365.3592946"},{"key":"21_CR33","doi-asserted-by":"publisher","unstructured":"Ma, Z., et al.: Printfuzz: fuzzing linux drivers via automated virtual device simulation. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 404\u2013416. ACM, Virtual South Korea (2022). https:\/\/doi.org\/10.1145\/3533767.3534226","DOI":"10.1145\/3533767.3534226"},{"key":"21_CR34","unstructured":"Maier, D., Radtke, B., Harren, B.: Unicorefuzz: on the viability of emulation for kernelspace fuzzing (2019)"},{"key":"21_CR35","doi-asserted-by":"publisher","unstructured":"Maier, D., Toepfer, F.: BSOD: binary-only scalable fuzzing of device drivers. In: 24th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 48\u201361. ACM, San Sebastian Spain (2021). https:\/\/doi.org\/10.1145\/3471621.3471863","DOI":"10.1145\/3471621.3471863"},{"key":"21_CR36","doi-asserted-by":"publisher","unstructured":"Mu, T., Zhang, H., Wang, J., Li, H.: Colafuze: coverage-guided and layout-aware fuzzing for android drivers. IEICE Trans. Inf. Syst. E104.D(11), 1902\u20131912 (2021). https:\/\/doi.org\/10.1587\/transinf.2021NGP0005","DOI":"10.1587\/transinf.2021NGP0005"},{"key":"21_CR37","unstructured":"Pailoor, S., Aday, A., Jana, S.: Moonshine: optimizing OS fuzzer seed selection with trace distillation (2018)"},{"key":"21_CR38","unstructured":"Pan, J., Yan, G., Fan, X., Lab, I.: Digtool: a virtualization-based framework for detecting kernel vulnerabilities (2017)"},{"key":"21_CR39","doi-asserted-by":"publisher","unstructured":"Ryan, G., Shah, A., She, D., Jana, S.: Precise detection of kernel data races with probabilistic lockset analysis (2023). https:\/\/doi.org\/10.1109\/SP46215.2023.10179366","DOI":"10.1109\/SP46215.2023.10179366"},{"key":"21_CR40","unstructured":"Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., Holz, T.: KAFL: hardware-assisted feedback fuzzing for OS kernels. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 167\u2013182 (2017). https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/schumilo"},{"key":"21_CR41","doi-asserted-by":"publisher","unstructured":"Song, D., et al.: Periscope: an effective probing and fuzzing framework for the hardware-OS boundary. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society, San Diego, CA (2019). https:\/\/doi.org\/10.14722\/ndss.2019.23176","DOI":"10.14722\/ndss.2019.23176"},{"key":"21_CR42","unstructured":"Song, D., Hetzelt, F., Kim, J., Kang, B.B., Seifert, J.P., Franz, M.: Agamotto: accelerating kernel driver fuzzing with lightweight virtual machine checkpoints. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 2541\u20132557 (2020). https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/song"},{"key":"21_CR43","unstructured":"Sun, H., Shen, Y., Liu, J., Xu, Y., Jiang, Y.: KSG: augmenting kernel fuzzing with system call specification generation (2022)"},{"key":"21_CR44","doi-asserted-by":"publisher","unstructured":"Sun, H., et al.: Healer: relation learning guided kernel fuzzing (2021). https:\/\/doi.org\/10.1145\/3477132.3483547","DOI":"10.1145\/3477132.3483547"},{"key":"21_CR45","doi-asserted-by":"publisher","unstructured":"Tan, X., Zhang, Y., Lu, J., Xiong, X., Liu, Z., Yang, M.: Syzdirect: directed greybox fuzzing for linux kernel. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp. 1630\u20131644. ACM, Copenhagen Denmark (2023). https:\/\/doi.org\/10.1145\/3576915.3623146","DOI":"10.1145\/3576915.3623146"},{"key":"21_CR46","unstructured":"Wang, D., Zhang, Z., Zhang, H., Qian, Z., Krishnamurthy, S.V., Abu-Ghazaleh, N.: Syzvegas: beating kernel fuzzing odds with reinforcement learning (2021)"},{"key":"21_CR47","unstructured":"Weaver, V.M., Jones, D.: Perf fuzzer: targeted fuzzing of the perf event open() system call (2015)"},{"key":"21_CR48","doi-asserted-by":"publisher","unstructured":"Xu, J., et al.: Mock: optimizing kernel fuzzing mutation with context-aware dependency. In: Proceedings 2024 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, USA (2024). https:\/\/doi.org\/10.14722\/ndss.2024.23131","DOI":"10.14722\/ndss.2024.23131"},{"key":"21_CR49","doi-asserted-by":"publisher","unstructured":"Xu, W., Moon, H., Kashyap, S., Tseng, P.N., Kim, T.: Janus:fuzzing file systems via two-dimensional input space exploration. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 818\u2013834. IEEE, San Francisco, CA, USA (2019). https:\/\/doi.org\/10.1109\/SP.2019.00035","DOI":"10.1109\/SP.2019.00035"},{"key":"21_CR50","unstructured":"Yang, C., Zhao, Z., Zhang, L.: Kernelgpt: enhanced kernel fuzzing via large language models (2023). http:\/\/arxiv.org\/abs\/2401.00563"},{"issue":"4","key":"21_CR51","doi-asserted-by":"publisher","first-page":"3453","DOI":"10.1109\/TDSC.2023.3330852","volume":"21","author":"T Yin","year":"2024","unstructured":"Yin, T., Gao, Z., Xiao, Z., Ma, Z., Zheng, M., Zhang, C.: Kextfuzz: a practical fuzzer for macOS kernel extensions on apple silicon. IEEE Trans. Dependable Secure Comput. 21(4), 3453\u20133468 (2024). https:\/\/doi.org\/10.1109\/TDSC.2023.3330852","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"21_CR52","unstructured":"Yuan, M., Zhao, B.: DDRace: finding concurrency UAF vulnerabilities in linux drivers with directed fuzzing (2023)"},{"key":"21_CR53","unstructured":"Zhao, B., et al.: Statefuzz: system call-based state-aware linux driver fuzzing. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 3273\u20133289 (2022). https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/zhao-bodong"},{"key":"21_CR54","doi-asserted-by":"publisher","unstructured":"Zhao, W., Lu, K., Wu, Q., Qi, Y.: Semantic-informed driver fuzzing without both the hardware devices and the emulators. In: Proceedings 2022 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, USA (2022). https:\/\/doi.org\/10.14722\/ndss.2022.24345","DOI":"10.14722\/ndss.2022.24345"}],"container-title":["Lecture Notes in Computer Science","Cyberspace Safety and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-95-3551-4_21","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T00:36:12Z","timestamp":1767314172000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-95-3551-4_21"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9789819535507","9789819535514"],"references-count":54,"URL":"https:\/\/doi.org\/10.1007\/978-981-95-3551-4_21","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"2 January 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CSS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Symposium on Cyberspace Safety and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Hangzhou","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 July 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6 July 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"css2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/nsclab.org\/css2025\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}