Kernel fuzzing poses significant pedagogical and practical challenges for secondary education—namely, conceptual opacity, complex environment setup, and poor controllability of kernel state transitions. Method: We systematically survey 99 studies published between 2017 and 2024, proposing (i) the first phased kernel fuzzing model that explicitly decomposes the process into input generation, execution monitoring, and feedback analysis—with associated technical constraints—and (ii) a novel nine-dimensional fine-grained functional taxonomy that decouples and maps functionalities across all fuzzing stages. Contribution/Results: Our analysis identifies three fundamental bottlenecks—driver coverage limitation, inadequate kernel state modeling, and poor environment controllability—and proposes actionable technical improvements. We further outline future research directions, including lightweight kernel abstraction and semantics-aware mutation strategies. This work establishes both a theoretical foundation and a practical framework to advance kernel security education and methodological evolution.

The Operating System (OS) kernel is foundational in modern computing, especially with the proliferation of diverse computing devices. However, its development also comes with vulnerabilities that can lead to severe security breaches. Kernel fuzzing, a technique used to uncover these vulnerabilities, poses distinct challenges when compared to userspace fuzzing. These include the complexity of configuring the testing environment and addressing the statefulness inherent to both the kernel and the fuzzing process. Despite the significant interest from the security community, a comprehensive understanding of kernel fuzzing remains lacking, hindering further progress in the field. In this paper, we present the first systematic study dedicated to OS kernel fuzzing. It begins by summarizing the progress of 99 academic studies from top-tier venues between 2017 and 2024. Following this, we introduce a stage-based fuzzing model and a novel fuzzing taxonomy that highlights nine core functionalities unique to kernel fuzzing. These functionalities are examined alongside their corresponding methodological approaches based on qualitative evaluation criteria. Our systematization identifies challenges in meeting functionality requirements and proposes potential technical solutions. Finally, we outline promising and practical future directions to guide forthcoming research in kernel security, supported in part by insights derived from our case study.