SYSYPHUZZ: the Pressure of More Coverage
Zezhong Ren
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Malware & RE
Coverage-centric kernel fuzzing has a blind spot: once a basic block is marked as "covered," fuzzers ignore it forever, even if it was executed only once or twice. This talk presents **SYSYPHUZZ**, a kernel fuzzer that makes **execution frequency a first-class objective** alongside coverage. Analysis of the Linux kernel under Syzkaller shows a **heavily skewed distribution**: after 72 hours, the bottom 5% of basic blocks are hit fewer than 30 times while the median is around 3,000. Over **22% of initially underexplored basic blocks remain insufficiently exercised** even after prolonged fuzzing. SYSYPHUZZ introduces a **boost delegator** for selective task scheduling and **context-preserving mutation** that maintains the syscall context needed to reach low-frequency regions while exploring beyond them. Targeting Linux 6.12, SYSYPHUZZ discovered **67 bugs** (31% more than Syzkaller) and **10% more than SyzGPT**, with **2x the low-frequency coverage**, demonstrating that execution frequency is complementary to coverage for kernel bug discovery.
AI review
A kernel fuzzer that targets underexplored code regions by making execution frequency a first-class objective, finding 31% more bugs than Syzkaller. Demonstrates that coverage alone is insufficient for thorough kernel testing, with direct implications for kernel vulnerability discovery.