WindCore: Path-Sensitive Semantic Analysis Technique for JavaScript Testcase Generation

Abstract

As the core component of web browser, JavaScript engine has always been concerned about its security. Current state-of-the-art fuzzers for JavaScript engines mainly focus on generating correct and effective testcases by extracting semantic information from the initial corpus. However, we found that the existing fuzzers did not pay attention to the impact of branch conditions in the process of extracting semantic information, which led to incorrect testcases. To address this challenge, we propose a path-sensitive semantic analysis technique and implement it in a fuzz testing tool termed WindCore. Compared with the existing fuzzers, WindCore can more fully extract the semantic information in the initial corpus and generate testcases with correct syntax and semantics. Experimental results show that WindCore can greatly improve the correct rate of testcases with only a negligible performance overhead.