Unsupervised fuzzing with kcov results (syzkaller style, libFuzzer or other?)

[yskzalloc]

To extend the fuzzing capabilities, it would be useful to support unsupervised fuzzing by leveraging kcov coverage results as feedback for test case generation, similar to how libFuzzer operates.

Proposal

• Integrate kcov coverage data as the guiding signal for input mutation.
• Enable a fuzzing mode that does not require external supervision, where the engine uses coverage information to evolve test cases automatically.
• Possible workflow:
  1. Run a target target program with Save syscall.log per target program execution #1 support.
  2. Collect executed basic block/edge coverage.
  3. Use the coverage feedback to mutate test inputs continuously.
  4. Minimize and store interesting test cases for repro.

Motivation

• Provides a self-contained fuzzing workflow without relying fully on supervised infrastructures.
• Enhances fuzzing efficiency by continuously improving inputs based on real coverage data.
• Can serve as a bridge between kernel-oriented fuzzing and existing user-space engines like libFuzzer.

Use cases

• Run unsupervised fuzzing campaigns in smaller or isolated environments.
• Use for continuous coverage-based regression testing.
• Potential integration with existing fuzzers for hybrid fuzzing setups.

[yskzalloc]

I found the good reference:

• https://r00tkitsmm.github.io/fuzzing/2024/03/27/libffuzzerkernel.html
• https://github.com/R00tkitSMM/R00tkitSMM.github.io/blob/main/_posts/2024-03-27-libffuzzerkernel.markdown