Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.3.443

Runtime-Guard Coverage Guided Fuzzer Avoiding Deoptimization for Optimized Javascript Functions  

Kim, Hong-Kyo (Korea University)
Moon, Jong-sub (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.3, 2020 , pp. 443-454 More about this Journal
Abstract
The JavaScript engine is a module that receives JavaScript code as input and processes it, among many functions that are loaded into web browsers and display web pages. Many fuzzing test studies have been conducted as vulnerabilities in JavaScript engines could threaten the system security of end-users running JavaScript through browsers. Some of them have increased fuzzing efficiency by guiding test coverage in JavaScript engines, but no coverage guided fuzzing of optimized, dynamically generated machine code was attempted. Optimized JavaScript codes are difficult to perform sufficient iterative testing through fuzzing due to the function of runtime guards to free the code in the event of exceptional control flow. To solve these problems, this paper proposes a method of performing fuzzing tests on optimized machine code by avoiding deoptimization. In addition, we propose a method to measure the coverage of runtime-guards by the dynamic binary instrumentation and to guide increment of runtime-guard coverage. In our experiment, our method has outperformed the existing method at two measures: runtime coverage and iteration by time.
Keywords
software testing; JavaScript engine; fuzzing; JIT compiler; coverage guidance;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Wang, B. Chen, L. Wei, and Y. Liu, "Superion: Grammar-Aware Greybox Fuzzing," Proceedings of the 41st IEEE/ACM International Conference on Software Engineering, pp. 724-735, May. 2019.
2 The Clang Team, "Clang 11 documentation," https://clang.llvm.org/docs/SanitizerCoverage.html, Mar. 22, 2020
3 Google, "chromium bug 944062" https://bugs.chromium.org/p/chromium/issues/detail?id=944062, Apr. 29, 2020
4 S. GROB, "FuzzIL: Coverage Guided Fuzzing for JavaScript Engines," Ph.D. Thesis, Karlsruhe Institute of Technology, Jan. 2018.
5 C. Holler and A. Zeller, "Fuzzing with code fragments," Proceedings of the 21st USENIX Security Symposium, pp. 445-458, Aug. 2012.
6 D. Jang, Z. Tatlock, and S. Lerner, "SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks," NDSS Symposium 2014, Feb. 2014.
7 G. A. Perez, C. M. Kao, Y. C. Chung, and W. C. Hsu, "A hybrid just-in -time compiler for android: comparing JIT types and the result of cooperation," Proceedings of the 2012 international conference on Compilers, architectures and synthesis for embed -ded systems, pp. 41-51, Oct. 2012.
8 Lcamtuf, "american fuzzy lop" http://lcamtuf.coredump.cx/afl/, Mar. 18, 2020
9 Google Project Zero, "fuzzilli" https://github.com/googleprojectzero/fuzzilli, Mar. 18, 2020
10 Hyuk-woo Park, Sung-kook Kim, and Soo-mook Moon, "Work-in-progress: advanced ahead-of-time compilation for javascript engine," Proceeding of the 2017 International Conference on Compilers, Architectures and Synthesis For Embedded Systems, pp. 1-2, Nov. 2017.
11 MITRE, "CVE-2019-5782" https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5782, Mar 18, 2020
12 Mozilla Fuzzing Security, "funfuzz" https://github.com/MozillaSecurity/funfuzz, Mar. 22, 2020
13 Google Project Zero, "domato" https://github.com/googleprojectzero/domato, Mar. 23, 2020
14 P. Godefroid, A. Kiezun, and M. Y. Levin, "Grammar-based whitebox fuzzing," Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 206-215, June 2008.
15 v8, "v8" https://github.com/v8/v8, Mar. 22, 2020
16 B. Michael, B. Florian, F. Manuel, L. Francesco, S. Wolfram, T. Nikolai, and V. Herman, "SPUR: a trace-based JIT compiler for CIL." Proceedings of the ACM international conference on Object oriented programming systems languages and applications, pp. 708-725, Oct. 2010.
17 Min-su Lee, Je-hyun Lee, Ho-bin Kim, and Chan-ho Ryu, "Instrumentation Performance Measurement Technique for Evaluating Efficiency of Binary Analysis Tools," Jonornal of The Korea Institute of information Security & Cryptology, 27(6), pp. 1331-1345, Dec. 2017, 2006.
18 G. Southern and J. Renau, "Overhead of deoptimization checks in the V8 javascript engine," IEEE International Symposium on Workload Characterization (IISWC), pp. 1-10, Sep. 2016.
19 N. K. Madhukar, R. Behnam, and H. Ben, "Server-side type profiling for optimizing client-side JavaScript engines," ACM SIGPLAN Notices vol. 51, no.2, pp. 140-153, Oct. 2015.   DOI
20 M. Yusuf, A. El-Mahdy and E. Rohou, "On-stack replacement to improve JIT-based obfuscation a preliminary study," Proceedings of the 2nd International Japan-Egypt Conference on Electronics, Communications and Computers, pp. 94-99, Mar. 2014.