Kernel fuzzing in ChromeOS
ChromeOS kernel fuzzing uses syzkaller. Syzkaller fuzzes core kernel components in VMs, and device drivers on DUTs in the lab.
The core ChromeOS kernel is fuzzed continuously in VMs.
Device drivers are fuzzed in the lab for 30 minutes per board type, about two times per day. More information about how syzkaller is deployed in the lab can be found here.
You can run syzkaller against a DUT you have locally, or a leased device from the lab. Instructions for flashing the DUT with a debug kernel and fuzzing it can be found here.
A guide on writing fuzz targets for syzkaller can be found here.