To address critical challenges in Linux kernel driver fuzzing—including insufficient context awareness, blind parameter mutation, and inadequate modeling of device interdependencies—this paper proposes the first runtime-parameter-driven fuzzing framework. Our approach employs static analysis to extract LKDM data structures and cross-driver function-call relationships, constructing a topology graph of interconnected devices. We design a relationship-aware mutation mechanism that dynamically prioritizes mutation of critical runtime parameters during the execution of related drivers. This method overcomes the semantic and device-coordination blind spots inherent in conventional black-box and grammar-based fuzzing. Evaluated on the latest upstream Linux kernel, our framework discovers 30 previously unknown vulnerabilities (20 confirmed, 14 merged into mainline, including 9 CVEs), significantly outperforming state-of-the-art approaches in both driver code coverage and vulnerability detection rate.

This paper introduces a novel fuzzing framework, SyzParam which incorporates runtime parameters into the fuzzing process. Achieving this objective requires addressing several key challenges, including valid value extraction, inter-device relation construction, and fuzz engine integration. By inspecting the data structures and functions associated with the LKDM, our tool can extract runtime parameters across various drivers through static analysis. Additionally, SyzParam collects inter-device relations and identifies associations between runtime parameters and drivers. Furthermore, SyzParam proposes a novel mutation strategy, which leverages these relations and prioritizes parameter modification during related driver execution. Our evaluation demonstrates that SyzParam outperforms existing fuzzing works in driver code coverage and bug-detection capabilities. To date, we have identified 30 unique bugs in the latest kernel upstreams, with 20 confirmed and 14 patched into the mainline kernel, including 9 CVEs.