CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

Proceedings 2019 Network and Distributed System Security Symposium Pub Date : 2019-01-01 DOI:10.14722/ndss.2019.23263

HyungSeok Han, DongHyeon Oh, S. Cha

{"title":"CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines","authors":"HyungSeok Han, DongHyeon Oh, S. Cha","doi":"10.14722/ndss.2019.23263","DOIUrl":null,"url":null,"abstract":"JavaScript engines are an attractive target for attackers due to their popularity and flexibility in building exploits. Current state-of-the-art fuzzers for finding JavaScript engine vulnerabilities focus mainly on generating syntactically correct test cases based on either a predefined context-free grammar or a trained probabilistic language model. Unfortunately, syntactically correct JavaScript sentences are often semantically invalid at runtime. Furthermore, statically analyzing the semantics of JavaScript code is challenging due to its dynamic nature: JavaScript code is generated at runtime, and JavaScript expressions are dynamically-typed. To address this challenge, we propose a novel test case generation algorithm that we call semantics-aware assembly, and implement it in a fuzz testing tool termed CodeAlchemist. Our tool can generate arbitrary JavaScript code snippets that are both semantically and syntactically correct, and it effectively yields test cases that can crash JavaScript engines. We found numerous vulnerabilities of the latest JavaScript engines with CodeAlchemist and reported them to the vendors.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"96","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23263","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 96

Abstract

JavaScript engines are an attractive target for attackers due to their popularity and flexibility in building exploits. Current state-of-the-art fuzzers for finding JavaScript engine vulnerabilities focus mainly on generating syntactically correct test cases based on either a predefined context-free grammar or a trained probabilistic language model. Unfortunately, syntactically correct JavaScript sentences are often semantically invalid at runtime. Furthermore, statically analyzing the semantics of JavaScript code is challenging due to its dynamic nature: JavaScript code is generated at runtime, and JavaScript expressions are dynamically-typed. To address this challenge, we propose a novel test case generation algorithm that we call semantics-aware assembly, and implement it in a fuzz testing tool termed CodeAlchemist. Our tool can generate arbitrary JavaScript code snippets that are both semantically and syntactically correct, and it effectively yields test cases that can crash JavaScript engines. We found numerous vulnerabilities of the latest JavaScript engines with CodeAlchemist and reported them to the vendors.

查看原文本刊更多论文

CodeAlchemist:语义感知代码生成以查找JavaScript引擎中的漏洞

JavaScript引擎由于其受欢迎程度和构建漏洞的灵活性而成为攻击者的一个有吸引力的目标。目前用于查找JavaScript引擎漏洞的最先进的fuzzers主要集中在基于预定义的上下文无关语法或训练的概率语言模型生成语法正确的测试用例上。不幸的是，语法正确的JavaScript句子在运行时往往在语义上无效。此外，由于JavaScript代码的动态性，静态分析其语义具有挑战性:JavaScript代码是在运行时生成的，JavaScript表达式是动态类型的。为了应对这一挑战，我们提出了一种新的测试用例生成算法，我们称之为语义感知组装，并在一个名为CodeAlchemist的模糊测试工具中实现它。我们的工具可以生成任意的JavaScript代码片段，这些代码片段在语义和语法上都是正确的，并且它有效地生成了可以使JavaScript引擎崩溃的测试用例。我们使用CodeAlchemist发现了最新JavaScript引擎的许多漏洞，并向供应商报告了这些漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2019 Network and Distributed System Security Symposium

自引率

0.00%

发文量