DFL: A DOM sample generation oriented fuzzing framework for browser rendering engines

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2024-10-01 DOI:10.1016/j.infsof.2024.107591

Guoyun Duan , Hai Zhao , Minjie Cai , Jianhua Sun , Hao Chen

{"title":"DFL: A DOM sample generation oriented fuzzing framework for browser rendering engines","authors":"Guoyun Duan , Hai Zhao , Minjie Cai , Jianhua Sun , Hao Chen","doi":"10.1016/j.infsof.2024.107591","DOIUrl":null,"url":null,"abstract":"<div><div>The security of web browsers, being fundamental to Internet access infrastructure, has garnered significant attention. Current approaches to identify browser vulnerabilities predominantly rely on code auditing and componentized unit testing. Fuzzing has emerged as an efficient technique for vulnerability discovery. However, adapting this method to browser security testing poses considerable challenges. Recent endeavors in browser vulnerability discovery primarily concentrate on the parsing engine, with limited solutions addressing the rendering engine. Moreover, coverage-guided mutation, a critical aspect, is not prevalent in existing fuzzing frameworks. In this paper, we present a coverage-guided fuzzing framework of DFL, which builds on Freedom and AFL to re-engineer various text generators based on DOM syntax and optimize the efficiency of sample generation. Additionally, serialization and deserialisation methods are developed for the implementation of generator text mutations and the seamless conversion between binary samples and the source DOM tree. When compared with three established DOM fuzzing frameworks in the latest Chromium kernel, DFL has demonstrated an ability to uncover 1.5–3 times more vulnerabilities within a short timeframe. Our research identifies potential avenues for further exploration in browser rendering engine security, specifically focusing on sample generation and path direction.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"177 ","pages":"Article 107591"},"PeriodicalIF":3.8000,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001964","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The security of web browsers, being fundamental to Internet access infrastructure, has garnered significant attention. Current approaches to identify browser vulnerabilities predominantly rely on code auditing and componentized unit testing. Fuzzing has emerged as an efficient technique for vulnerability discovery. However, adapting this method to browser security testing poses considerable challenges. Recent endeavors in browser vulnerability discovery primarily concentrate on the parsing engine, with limited solutions addressing the rendering engine. Moreover, coverage-guided mutation, a critical aspect, is not prevalent in existing fuzzing frameworks. In this paper, we present a coverage-guided fuzzing framework of DFL, which builds on Freedom and AFL to re-engineer various text generators based on DOM syntax and optimize the efficiency of sample generation. Additionally, serialization and deserialisation methods are developed for the implementation of generator text mutations and the seamless conversion between binary samples and the source DOM tree. When compared with three established DOM fuzzing frameworks in the latest Chromium kernel, DFL has demonstrated an ability to uncover 1.5–3 times more vulnerabilities within a short timeframe. Our research identifies potential avenues for further exploration in browser rendering engine security, specifically focusing on sample generation and path direction.

查看原文本刊更多论文

DFL：面向浏览器渲染引擎的 DOM 样本生成模糊测试框架

网络浏览器是互联网访问基础设施的基础，其安全性备受关注。目前识别浏览器漏洞的方法主要依赖于代码审计和组件化单元测试。模糊测试（Fuzzing）已成为发现漏洞的一种有效技术。然而，将这种方法应用于浏览器安全测试却面临着相当大的挑战。最近在浏览器漏洞发现方面所做的努力主要集中在解析引擎上，针对渲染引擎的解决方案非常有限。此外，覆盖引导突变是一个关键方面，但在现有的模糊框架中并不普遍。在本文中，我们介绍了 DFL 的覆盖引导模糊框架，该框架以 Freedom 和 AFL 为基础，根据 DOM 语法重新设计了各种文本生成器，并优化了样本生成的效率。此外，还开发了序列化和反序列化方法，用于实现生成器文本突变以及二进制样本与源 DOM 树之间的无缝转换。在最新的 Chromium 内核中，与三个成熟的 DOM 模糊框架相比，DFL 在短时间内发现的漏洞要多出 1.5-3 倍。我们的研究确定了进一步探索浏览器渲染引擎安全性的潜在途径，特别是侧重于样本生成和路径方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.