Coverage-guided kernel fuzzers such as syzkaller rely on edge coverage (trace-pc) as their sole feedback signal. This context-blind approach cannot distinguish execution paths that differ only in argument values. for example, two invocations of copy_from_user() with different size parameters hit identical basic blocks yet have vastly different security implications. We present BOUNDARY FLOW, an LLVM-based instrumentation framework that extends Linux KCOV with data-flow extraction of function arguments and return values. A compiler pass (-fsanitize-coverage=dataflow-args, dataflow-ret) emits lightweight callbacks capturing a structured tuple <PC, arg_idx, arg_size, ptr, offsets[]> at function entry and <PC, ret_size, ptr, offsets[]> at return. Composite types are automatically decomposed via DWARF DICompositeType metadata with zero source annotation. A separate kernel device(/sys/kernel/debug/kcov_dataflow) provides lock-free per-task ring buffers with no inter ference to existing KCOV or syzkaller infrastructure. We demonstrate dual utility: fuzzers gain state-aware feedback for mutation guidance into value-dependent state transitions, and security analysts obtain deterministic argument records for root-cause analysis without printk or kprobe overhead. A post-compilation pipeline (rustc, opt, llc) enables Rust kernel module instrumentation without modifying rustc, the only runtime method for capturing Rust function arguments given that drgn/vmcore fails under-O2 DWARF elision. Evaluated on five vulnerability classes (OOB, UAF, double-free, 10 deep chain propagation, Rust FFI, Rust for Linux Modules) with <3% overhead on instrumented paths.

翻译：覆盖率引导的内核模糊测试工具（如syzkaller）仅依赖边覆盖率（trace-pc）作为唯一反馈信号。这种上下文无关的方法无法区分仅参数值不同的执行路径。例如，两次调用copy_from_user()时使用不同size参数会命中相同基本块，却具有截然不同的安全影响。我们提出BOUNDARY FLOW，一个基于LLVM的插桩框架，通过扩展Linux KCOV实现对函数参数和返回值的逐任务数据流提取。编译器pass（-fsanitize-coverage=dataflow-args, dataflow-ret）在函数入口处发出轻量级回调，捕获结构化元组<PC, arg_idx, arg_size, ptr, offsets[]>，并在返回处捕获<PC, ret_size, ptr, offsets[]>。复合类型通过DWARF DICompositeType元数据自动分解，无需任何源码注解。独立的内核设备（/sys/kernel/debug/kcov_dataflow）提供无锁的每任务环形缓冲区，且不影响现有KCOV或syzkaller基础设施。我们展示了双重效用：模糊测试工具获得状态感知反馈以指导突变进入值相关的状态转换，安全分析人员获得确定性参数记录用于根因分析，无需printk或kprobe开销。后编译流水线（rustc, opt, llc）支持Rust内核模块插桩而无需修改rustc——这是捕获Rust函数参数的唯一运行时方法，因为drgn/vmcore在-O2 DWARF省略下会失效。在五类漏洞（越界访问、释放后使用、双重释放、10层深度链传播、Rust FFI、Rust for Linux模块）上评估，插桩路径开销低于3%。