Deity: Finding Deep Rooted Bugs in JavaScript Engines

Abstract

Fuzzing [1] is a well-known technique which was employed to provide unexpected or random data as input to JavaScript engines in hopes of finding a security vulnerability. For effective fuzzing, the input must be both syntactically correct and uncommonly randomized for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. In this work, we introduced system Deity which managed to resolve the conflict with innovative AST(Abstract Syntax Tree) [2] based tree mutation and generating methods. It leverages a high-level structural representation of intermediate process JavaScript code. Our evaluation demonstrates the effectiveness of Deity. For large-scale JavaScript engines (njs, mjs, Javascript-Core, ChakraCore, Espruino, Jerryscript) fuzzing, our results significantly show that Deity can improve code coverage and finding more deep rooted bugs (i.e., 35 new bugs, among which we discovered 21 new vulnerabilities with 3 CVEs assigned) over Superion and CodeAlchemist.