Fuzzing JavaScript Engines with Aspect-preserving Mutation

Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, Taesoo Kim
{"title":"Fuzzing JavaScript Engines with Aspect-preserving Mutation","authors":"Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, Taesoo Kim","doi":"10.1109/SP40000.2020.00067","DOIUrl":null,"url":null,"abstract":"Fuzzing is a practical, widely-deployed technique to find bugs in complex, real-world programs like JavaScript engines. We observed, however, that existing fuzzing approaches, either generative or mutational, fall short in fully harvesting high-quality input corpora such as known proof of concept (PoC) exploits or unit tests. Existing fuzzers tend to destruct subtle semantics or conditions encoded in the input corpus in order to generate new test cases because this approach helps in discovering new code paths of the program. Nevertheless, for JavaScript-like complex programs, such a conventional design leads to test cases that tackle only shallow parts of the complex codebase and fails to reach deep bugs effectively due to the huge input space.In this paper, we advocate a new technique, called an aspect-preserving mutation, that stochastically preserves the desirable properties, called aspects, that we prefer to be maintained across mutation. We demonstrate the aspect preservation with two mutation strategies, namely, structure and type preservation, in our fully-fledged JavaScript fuzzer, called Die. Our evaluation shows that Die’s aspect-preserving mutation is more effective in discovering new bugs (5.7× more unique crashes) and producing valid test cases (2.4× fewer runtime errors) than the state-of-the-art JavaScript fuzzers. Die newly discovered 48 high-impact bugs in ChakraCore, JavaScriptCore, and V8 (38 fixed with 12 CVEs assigned as of today). The source code of Die is publicly available as an open-source project.1","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"5 1","pages":"1629-1642"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"62","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00067","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 62

Abstract

Fuzzing is a practical, widely-deployed technique to find bugs in complex, real-world programs like JavaScript engines. We observed, however, that existing fuzzing approaches, either generative or mutational, fall short in fully harvesting high-quality input corpora such as known proof of concept (PoC) exploits or unit tests. Existing fuzzers tend to destruct subtle semantics or conditions encoded in the input corpus in order to generate new test cases because this approach helps in discovering new code paths of the program. Nevertheless, for JavaScript-like complex programs, such a conventional design leads to test cases that tackle only shallow parts of the complex codebase and fails to reach deep bugs effectively due to the huge input space.In this paper, we advocate a new technique, called an aspect-preserving mutation, that stochastically preserves the desirable properties, called aspects, that we prefer to be maintained across mutation. We demonstrate the aspect preservation with two mutation strategies, namely, structure and type preservation, in our fully-fledged JavaScript fuzzer, called Die. Our evaluation shows that Die’s aspect-preserving mutation is more effective in discovering new bugs (5.7× more unique crashes) and producing valid test cases (2.4× fewer runtime errors) than the state-of-the-art JavaScript fuzzers. Die newly discovered 48 high-impact bugs in ChakraCore, JavaScriptCore, and V8 (38 fixed with 12 CVEs assigned as of today). The source code of Die is publicly available as an open-source project.1
用保方面变异模糊JavaScript引擎
模糊测试是一种实用的、广泛部署的技术,用于在复杂的、现实世界的程序(如JavaScript引擎)中发现bug。然而,我们观察到,现有的模糊测试方法,无论是生成的还是突变的,都无法完全收集高质量的输入语料库,例如已知的概念证明(PoC)漏洞或单元测试。为了生成新的测试用例,现有的fuzzers倾向于破坏输入语料库中编码的微妙语义或条件,因为这种方法有助于发现程序的新代码路径。然而,对于类似javascript的复杂程序,这种传统的设计导致测试用例只能处理复杂代码库的浅层部分,并且由于巨大的输入空间而无法有效地发现深层bug。在本文中,我们提倡一种新的技术,称为方面保留突变,随机保留我们希望在突变中保持的理想特性,称为方面。我们用两种突变策略来演示方面保存,即结构保存和类型保存,这是在我们成熟的JavaScript模糊器Die中实现的。我们的评估表明,与最先进的JavaScript模糊测试器相比,Die的aspect-preserving mutation在发现新bug(多5.7倍的独特崩溃)和生成有效的测试用例(少2.4倍的运行时错误)方面更有效。我们在ChakraCore、JavaScriptCore和V8中新发现了48个影响较大的bug(截至今天已修复了38个bug,分配了12个cve)。Die的源代码是一个公开的开源项目
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信