Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.573

Semantics-Preserving Mutation-Based Fuzzing on JavaScript Interpreters  

Oh, DongHyeon (SoftSec Lab., Korea Advanced Institute of Science and Technology)
Choi, JaeSeung (SoftSec Lab., Korea Advanced Institute of Science and Technology)
Cha, SangKil (SoftSec Lab., Korea Advanced Institute of Science and Technology)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 573-582 More about this Journal
Abstract
Fuzzing is a method of testing software by randomly generating test cases. Since its introduction, a variety of fuzzing techniques have been studied. Among them, mutation-based fuzzing is an efficient method that finds real-world bugs even though it uses a simple approach such as probabilistic bit-flipping and character substitution. However, the interpreter fuzzing has difficulty in applying general mutation techniques because the interpreter requires grammar and semantic correctness input values. In this paper, we present a novel mutation-based fuzzing on JavaScript interpreters with a dynamic data flow analysis. To this end, we implement JMFuzzer that can generate various types of mutated test cases that operate normally without runtime errors in JavaScript interpreter considering syntax and semantics. As a result, we found numerous unknown vulnerabilities in the latest JavaScript interpreters. We reported all of them to the vendors.
Keywords
Data flow analysis; Fuzzing; JavaScript; Mutation; Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Patra and M. Pradel, "Leaerning to fuzz: Application-independent fuzz testing with probabilistic, generative models of input data," TUDarmstadt, Tech. Rep. TUD-CS-2016-14664, 2016
2 S. Veggalam, S. Rawat, I. Haller, and H. Bos, "IFuzzer: An evolutionary interprter fuzzer using genetic programming," in Proceedings of the European Symposium on Research in Computer Security, pp. 581-601, Sep. 2016.
3 Github, "radamsa," https://gitlab.com/akihe/radamsa, Jun. 2019.
4 Esprima, "Esprima," http://esprima.org, Jun. 2019.
5 Github, "Test262 ECMAScript conformance test suite," https://github.com/tc39/test262, Jun. 2019.
6 Github, "CVE-2018-0840 Patch Commit," https://github.com/Microsoft/ChakraCore/commit/24c7fa24623886859c31f9f1173e76977408fce2, Aug. 2019.
7 Ecma International. "ECMAScript 2015 language specification," https://www.ecma-international.org/ecma-262/6.0, Jun. 2015.
8 Chromium, "ChakraCore Just-In-Timebugs," https://bugs.chromium.org/p/project-zero/issues/list?q=chakra%20jit&can=1, Aug. 2019.
9 Github, "CVE-2018-0834 Patch Commit," https://github.com/Microsoft/ChakraCore/commit/6cd503299eac4a5b5ffc0c5bb0d072861f60e183, Aug. 2019.
10 Github, "CVE-2018-0837 Patch Commit," https://github.com/Microsoft/ChakraCore/commit/043257b7d47afab1240f5dd4cdd10bde38c574c3, Aug. 2019.
11 Github, "Mozilla Security funfuzz," https://github.com/MozillaSecurity/funfuzz, Jun. 2019
12 Christian Holler, Kim Herzig, and Andreas Zeller, "Fuzzing with code fragments," In Proceedings of the USENIX Security Symposium, pp 445-458, Aug. 2012.
13 HyungSeok Han, DongHyeon Oh, and Sang Kil Cha, "CodeAlchemist: Semantics-aware Code Generation to Find Vulnerabilities in JavaScript Engines," In Proceedings of the Network and Distributed System Security Symposium, Feb. 2019.
14 Suyoung Lee, HyungSeok Han, Sang Kil Cha, and Sooel Son, "Montage: A Neural Network Language Model-Guided JavaScript Fuzzer," In Proceedings of the USENIX Security Symposium, Aug, 2020.
15 Valentin J. M. Manes, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo, "The art, science, and engineering of fuzzing: A survey," Apr. 2019.
16 S. K. Cha, M. Woo, and D. Brumley, "Program-adaptive mutational fuzzing," in Proceedings of the IEEE Symposium on Security and Privacy, pp. 725-741, May. 2015.
17 CERT, "Basic Fuzzing Framework," https://www.cert.org/vulnerability-analysis/tools/bff.cfm, Jun, 2019.
18 Marcel Bohme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury, "Directed greybox fuzzing," In Proceedings of the ACM Conference on Computer and Communications Security, pp 2329-2344, Nov. 2017.
19 Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen, "CollAFL: Path sensitive fuzzing" In Proceedings of the IEEE Symposium on Security and Privacy, pp 660-677, May. 2018.
20 Github, "American Fuzzy Lop." https://github.com/google/afl, Jun. 2019.
21 A. Rebert, S. K. Cha, T. Avgerinos, J. Foote, D. Warren, G. Grieco, and D. Brumley, "Optimizing seed selection for fuzzing," in Proceedings of the USENIX Security Symposium, pp. 861-875, May. 2014.
22 Samuel Gros, "FuzzIL: Coverage Guided Fuzzing for JavaScript Engines," Master Thesis, Karlsruhe Institute of Technology, Nov. 2018.
23 J. Wang, B. Chen, L. Wei, and Y. Liu, "Skyfire: Data-driven seed generation for fuzzing," in Proceedings of the IEEE Symposium on Security and Privacy, pp. 579-594, May. 2017.