Hao Sun
Ph.D. student, supervised by Prof. Zhendong Su
Advanced Software Technologies (AST) Lab
Department of Computer Science
ETH Zurich

CNB H 103.2, Universitätstrasse 6, 8092 Zürich, Switzerland

I’m a system security researcher at ETH Zurich, focusing on operating system kernels, with an emphasis on Linux. The fundamental goal of my research is to improve the correctness of OS kernels, one of the most complicated software, via finding and eliminating the bugs with the approaches called fuzz testing and symbolic execution.

I designed and implemented a kernel fuzzer called Healer, which is open-sourced and has found more than 100 bugs in Linux. This work was accepted by SOSP ‘21. My recent work KSG, a kernel specification generator, has led to the discovery of 23 bugs in Linux and was accepted by ATC ‘22. Besides, I’m also interested in system works and the idea of redesigning the software stack with current security and privacy concerns in mind is fascinating to me.


Jul 6, 2022 Tardis, a coverage-guided Embedded OS fuzzer, is accepted by EMSOFT ‘22.
May 20, 2022 Will be working as a RA at City University of Hong Kong for 6 months.
Apr 30, 2022 KSG, a kernel specification generator, is accepted to ATC ‘22.
Aug 7, 2021 Healer, a kernel fuzzer written in rust, is accepted to SOSP ‘21.

Selected pubs

  1. ATC ’22
    KSG: Augmenting Kernel Fuzzing with System Call Specification Generation
    Hao, Sun, Yuheng, Shen, Jianzhong, Liu, Yiru, Xu, and Yu, Jiang
    In 2022 USENIX Annual Technical Conference (USENIX ATC 22) Jul 2022
  2. SOSP ’21
    HEALER: Relation Learning Guided Kernel Fuzzing
    Hao, Sun, Yuheng, Shen, Cong, Wang, Jianzhong, Liu, Yu, Jiang, Ting, Chen, and Aiguo, Cui
    In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles Jul 2021
  3. EMSOFT ’21
    Rtkaller: State-Aware Task Generation for RTOS Fuzzing
    Yuheng, Shen,  Hao, Sun, Yu, Jiang, Heyuan, Shi, Yixiao, Yang, and Wanli, Chang
    ACM Trans. Embed. Comput. Syst. Sep 2021
  4. ISSRE ’19
    Go-Sanitizer: Bug-Oriented Assertion Generation for Golang
    Cong, Wang,  Hao, Sun, Yiwen, Xu, Yu, Jiang, Huafeng, Zhang, and Ming, Gu
    In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) Sep 2019


Healer, kernel fuzzer inspired by Syzkaller

Healer is an automated kernel bug finding tool, written in 17,000+ lines of Rust. It utilizes specifications that encode input information to generate system call sequences, and detects kernel bugs via triggering kernel crashes with generated sequences. While the idea behind Healer is relatively straightforward, it incorporates many tricks and techniques for efficient runtime behavior… more
KEY RESULTS: 100+ reported and fixed Linux bugs, 10+ CVEs assigned, 199 stars on github.

KSG, kernel syscall specification generator

Writting system call specifications for kernel fuzzers requires significant amount of domain knowledge while being laborious. To address this, I designed and implemented a kernel specification generator (KSG) with 7000+ lines of C++ code based on Clang Static Analyzer. KSG utilizes a probe-based tracing and a symbolic execution-based type propagation algorithm…more
KEY RESULTS: 2433 automatically generated specifications and 23 bugs.

UFUZZ, OSEK/VDX RTOS kernel fuzzer

UFUZZ is an automated bug discovery tool, designed for embedded RTOS kernels that conform to the OSEK/VDX specification. It generates test cases with the awareness of the application model, e.g., prioritized tasks, and transfers inputs via directly accessing the memory of guest VM. UFUZZ has been adopted and deployed in a private organization.