Linux Security Summit North America 2025

Kernel fuzzing has been traditionally done either via on-device fuzzing or using VMs and primarily targeting the attack surface exposed to user-space programs.
In this talk the authors introduce a novel approach towards fuzzing Linux kernel interfaces completely in user space without relying on hardware or virtualization solutions by leveraging an open-source project LKL (Linux kernel library). Using LKL it is possible to build Linux kernel as a user-space library and hook it with a coverage-guided engine such as libFuzzer to fuzz kernel interfaces. This approach enables us to create lightweight coverage-guided modular fuzzers targeting specific kernel interfaces. This approach provides such advantages as high fuzzing performance, scalability and ease of debugging crashes. One of the major highlights of this approach is the ability to target device-to-kernel interfaces exposed to the malicious peripheral devices which are difficult to cover using traditional fuzzing approaches. We will provide deep dive into LKL fuzzing details, like enabling ASAN for LKL, adding code coverage, and showcase examples of fuzzing USB HID and Android binder driver.