RusyFuzz: Unhandled Exception Guided Fuzzing for Rust OS Kernel
This program is tentative and subject to change.
Rust’s strong type system and ownership model eliminate many traditional memory safety issues in OS kernels. However, logic errors—such as unchecked indexing and failed unwrap operations—can still cause panic!s that crash the entire system. Existing kernel fuzzers, designed primarily for C-based kernels and reliant on KCOV, treat all crashes uniformly and fail to account for Rust-specific failure modes.
We present RusyFuzz, the first fuzzing framework tailored to Rust OS kernels that explicitly targets panic-prone code paths using an unhandled-exception-guided strategy. RusyFuzz analyzes the compiler-inserted assertions within the Rust MIR, performs backward slicing to link these assertions to system call arguments, and uses constraint solving to synthesize inputs that trigger panics. In the absence of built-in coverage support, RusyFuzz employs a lightweight, log-based instrumentation method to enable coverage-guided fuzzing. We evaluate RusyFuzz on three emerging Rust-based kernels: Asterinas, Redox OS, and RuxOS. RusyFuzz discovers 70 previously unknown and developer-confirmed vulnerabilities. Compared to Trinity, it uncovers over twice as many bugs while improving line coverage by 14.4%. These results demonstrate that unhandled-exception-guided fuzzing is critical for uncovering logic bugs and enhancing the reliability of Rust OS kernels, providing the first systematic methodology for detecting such vulnerabilities.
This program is tentative and subject to change.
Thu 16 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
11:00 - 12:30 | |||
11:00 15mTalk | RusyFuzz: Unhandled Exception Guided Fuzzing for Rust OS Kernel Research Track Yuwei Liu Ant Group, Yanhao Wang Independent Researcher, Minghua Wang Ant Group, Lin Huang Ant Group, Purui Su Institute of Software/CAS China, Tao Wei Ant Group | ||
11:15 15mTalk | VDBFuzz: Understanding and Detecting Crash Bugs in Vector Database Management Systems Research Track Shenao Wang Huazhong University of Science and Technology, Zhao Liu 360 AI Security Lab, Yanjie Zhao Huazhong University of Science and Technology, Quanchen Zou 360 AI Security Lab, Haoyu Wang Huazhong University of Science and Technology | ||
11:30 15mTalk | GPTrace: Effective Crash Deduplication Using LLM Embeddings Research Track Patrick Herter Fraunhofer AISEC, Vincent Ahlrichs Fraunhofer AISEC, Ridvan Açilan Technical University of Munich, Julian Horsch Fraunhofer AISEC Pre-print Media Attached | ||
11:45 15mTalk | Is My RPC Response Reliable? Detecting RPC Bugs in Blockchain Client under Context Research Track Zhijie Zhong School of Software Engineering, Sun Yat-sen University, Yuhong Nan Sun Yat-sen University, Mingxi Ye Sun Yat-sen University, Qing Xue Sun Yat-sen University, Jiashui Wang Zhejiang University, Long Liu , Xinlei Ying , Zibin Zheng Sun Yat-sen University | ||
12:00 15mTalk | EchoFuzz: Empowering Smart Contract Fuzzing with Large Language Models Research Track Juanen Li Tsinghua University, Peng Qian Zhejiang University, Guanyan Li University of Oxford, Rui Wang Beijing Normal University, Peixin Wang East China Normal University, Zhiqing Tang Beijing Normal University, Fuchen Ma Tsinghua University, Yuanliang Chen Tsinghua University, Lun Zhang GoPlus Security | ||
12:15 15mTalk | StorFuzz: Using Data Diversity to Overcome Fuzzing Plateaus Research Track Leon Weiß Ruhr University Bochum, Tobias Holl Ruhr University Bochum, Kevin Borgolte Ruhr University Bochum Pre-print Media Attached | ||