Selected pubs

1. SOSP ’25

   Prove It to the Kernel: Precise Extension Analysis via Proof-Guided Abstraction Refinement

   Hao, Sun, and Zhendong, Su

   In Proceedings of SOSP 2025

   Best Paper Award

   PDF Code Slides
2. SEC ’25

   Approximation Enforced Execution of Untrusted Linux Kernel Extensions

   Hao, Sun, and Zhendong, Su

   In Proceedings of USENIX Security 2025

   PDF
3. OSDI ’24

   Validating the eBPF Verifier via State Embedding

   Hao, Sun, and Zhendong, Su

   In Proceedings of the 18h USENIX Conference on Operating Systems Design and Implementation 2024
4. ATC ’22

   KSG: Augmenting Kernel Fuzzing with System Call Specification Generation

   Hao, Sun, Yuheng, Shen, Jianzhong, Liu, Yiru, Xu, and Yu, Jiang

   In 2022 USENIX Annual Technical Conference (USENIX ATC 22) Jul 2022

   Abs Bib PDF Slides

   Kernel fuzzing is a dynamic testing technique that has successfully found numerous kernel vulnerabilities. However, existing kernel fuzzers, such as Syzkaller, depend on system call specifications to generate test cases. Writing such specifications requires an immense amount of domain knowledge while being extremely laborious. Meanwhile, automated generation of the specification is still an open problem due to the complexity of the kernel, including entry function extraction and input type identification. As a result, the current amount of system call information is insufficient to test the entire kernel code base thoroughly. Syzkaller covers an average of 38% of Linux kernel code with current Syzlang specifications for a prolonged time of fuzzing. In this paper, we propose KSG to generate system call specifications for kernel fuzzers automatically. First, it utilizes probe-based tracing to extract entry functions accurately. Then, it uses path-sensitive analysis to collect precise input types and range constraints in each execution path of entry functions. Based on the aforementioned information, KSG generates specifications in the domain language Syzlang, which is used by most kernel fuzzers. We evaluated KSG on several versions of the Linux kernel. It automatically generated 2433 unique specifications. Leveraging the newly generated specifications, Syzkaller and Moonshine achieved coverage improvements of 22% and 23% respectively. Furthermore, our approach assisted fuzzers to discover 26 previously unknown bugs, where 13 and 6 bugs were fixed and assigned with CVEs, respectively.

   @inproceedings{KSG,
     author = {Hao, Sun and Yuheng, Shen and Jianzhong, Liu and Yiru, Xu and Yu, Jiang},
     title = {{KSG}: Augmenting Kernel Fuzzing with System Call Specification Generation},
     booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)},
     year = {2022},
     isbn = {978-1-939133-29-20},
     address = {Carlsbad, CA},
     pages = {351--366},
     url = {https://www.usenix.org/conference/atc22/presentation/sun},
     publisher = {USENIX Association},
     month = jul,
   }

5. SOSP ’21

   HEALER: Relation Learning Guided Kernel Fuzzing

   Hao, Sun, Yuheng, Shen, Cong, Wang, Jianzhong, Liu, Yu, Jiang, Ting, Chen, and Aiguo, Cui

   In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles Jul 2021

   Abs Bib PDF Code Poster Slides

   Modern operating system kernels are too complex to be free of bugs. Fuzzing is a promising approach for vulnerability detection and has been applied to kernel testing. However, existing work does not consider the influence relations between system calls when generating and mutating inputs, resulting in difficulties when trying to reach into the kernel’s deeper logic effectively.In this paper, we propose HEALER, a kernel fuzzer that improves fuzzing’s effectiveness by utilizing system call relation learning. HEALER learns the influence relations between system calls by dynamically analyzing minimized test cases. Then, HEALER utilizes the learned relations to guide input generation and mutation, which improves the quality of test cases and the effectiveness of fuzzing. We implemented HEALER and evaluated its performance on recent versions of the Linux kernel. Compared to state-of-the-art kernel fuzzers such as Syzkaller and Moonshine, HEALER improves branch coverage by 28% and 21%, while achieving a speedup of 2.2x and 1.8x, respectively. In addition, HEALER detected 218 vulnerabilities, 33 of which are previously unknown and have been confirmed by the corresponding kernel maintainers.

   @inproceedings{Healer,
     author = {Hao, Sun and Yuheng, Shen and Cong, Wang and Jianzhong, Liu and Yu, Jiang and Ting, Chen and Aiguo, Cui},
     title = {HEALER: Relation Learning Guided Kernel Fuzzing},
     year = {2021},
     isbn = {9781450387095},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3477132.3483547},
     doi = {10.1145/3477132.3483547},
     booktitle = {Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles},
     pages = {344--358},
     numpages = {15},
     keywords = {System Call Relation Learning, Kernel Fuzzing},
     location = {Virtual Event, Germany},
     series = {SOSP '21},
   }