ABSTRACT
JavaScript engine is the core component of web browsers, whose security issues are one of the critical aspects of the overall Web Eco-Security. Fuzzing technology, as an efficient software testing approach, has been widely applied to detecting vulnerabilities in different JavaScript engines, which is a security research hotspot at present. Based on systematical dissection of existing fuzzing methods, this paper reviews the development and technical ideas of JavaScript Engine Fuzzing combined with taxonomy, proposes a general framework of JavaScript Engine Fuzzing and analyzes the key techniques involved. Finally, we discuss the core issues that restrict efficiency in current research and present an outlook on the future trends of JavaScript Engine Fuzzing.
- W3Techs. Usage Statistics of Javascript for Websites. https://w3techs.com /technologies/details/cp-javascript.Google Scholar
- Google. V8: Google's Open Source High-Performance JavaScript and WebAssembly Engine. https://v8.dev/.Google Scholar
- Microsoft. ChakraCore: The Core Part of the Chakra JavaScript Engine that Powers Microsoft Edge. https://github.com/microsoft/ChakraCore.Google Scholar
- Apple. JavaScriptCore: The Built-In JavaScript Engine for WebKit. https://trac. webkit.org/wiki/JavaScriptCore.Google Scholar
- Mozilla. SpiderMonkey: The JavaScript Engine for Firefox. https://developer. mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.Google Scholar
- Samsung. Jerryscript: JavaScript Engine for the Internet of Things. https:// github.com/jerryscript-project/jerryscript.Google Scholar
- B.P. Miller, L. Fredriksen, B. So (1990). An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM, 33(12), 32-44.Google ScholarDigital Library
- Ecma-International. ECMAScript® 2021 Language Specification. https://www. ecma-international.org/ecma-262/.Google Scholar
- H. Lin, J. Peng, S. Zhao, (2019). Survey On JavaScript Engine Vulnerability Detection. Computer Engineering and Applications, 55(11), 16-24.Google Scholar
- N. Nagappan, T. Ball (2005). Static Analysis Tools as Early Indicators of Pre-Release Defect Density. Proc of the 27th International Conference on Software Engineering, ICSE'05, 580-586.Google Scholar
- Synopsys. Coverity Scan Static Analysis. https://scan.coverity.com.Google Scholar
- CyberRes. Fortify Static Code Analyzer. https://www.microfocus.com/en-us /cyberres/application-security/static-code-analyzer.Google Scholar
- Perforce. Klocwork: Best Static Code Analyzer for Developer Productivity, SAST, and DevOps/DevSecOps. https://www.perforce.com/products/klocwork.Google Scholar
- D.E. Denning (1976). A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5), 236-243.Google ScholarDigital Library
- S. Gan, C. Zhang, P. Chen, (2020). GREYONE: Data Flow Sensitive Fuzzing. Proc of the 29th USENIX Security Symposium, USENIX Security'20, 2577-2594.Google Scholar
- J.C. King (1976). Symbolic Execution and Program Testing. Communications of the ACM, 19(7), 385-394.Google ScholarDigital Library
- R. Baldoni, E. Coppa, D.C. D'Elia, (2018). A Survey of Symbolic Execution Techniques. ACM Computing Surveys, 51(3), 50.Google ScholarDigital Library
- C. Omar, J. Aldrich (2016). Programmable Semantic Fragments: The Design and Implementation of Typy. Proc of the ACM SIGPLAN Conference on Generative Programming: Concepts and Experiences, GPCE'16, 81-92.Google ScholarDigital Library
- F. Brown, S. Narayan, R.S. Wahby, (2017). Finding and Preventing Bugs in JavaScript Bindings. Proc of the IEEE Symposium on Security and Privacy (S&P'17), 559-578.Google ScholarCross Ref
- G. Maisuradze, M. Backes, C. Rossow (2017). Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code. Proc of the 24th Annual Network and Distributed System Security Symposium, NDSS'2017.Google ScholarCross Ref
- P. Oehlert (2005). Violating Assumptions with Fuzzing. IEEE Secur. Priv., 3(2), 58-62.Google ScholarDigital Library
- P. Godefroid, M.Y. Levin, D.A. Molnar (2012). SAGE: Whitebox Fuzzing for Security Testing. Communications of the ACM, 55(3), 40-44.Google ScholarDigital Library
- R. Swiecki, F. Gröbert. Honggfuzz. https://github.com/google/honggfuzz.Google Scholar
- M. Zalewski. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/.Google Scholar
- K. Serebryany (2016). Continuous Fuzzing with libFuzzer and AddressSanitizer. Proc of the IEEE Cybersecurity Development, SecDev'16, 157.Google ScholarCross Ref
- M. Eddington. Peach Fuzzing Platform. http://community.peachfuzzer.com /WhatIsPeach.html.Google Scholar
- M. Sutton. Filefuzz. http://osdir.com/ml/security.securiteam/2005-09/msg0007.Google Scholar
- V.J.M. Manes, H. Han, C. Han, (2019). The Art, Science, and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering, 1.Google Scholar
- MozillaSecurity. JSfunfuzz. https://github.com/MozillaSecurity/funfuzz.Google Scholar
- J. Patra, M. Pradel (2016). Learning to Fuzz: Application-Independent Fuzz Testing with Probabilistic, Generative Models of Input Data. Proc of the Tech. Rep. TUD-CS-2016-14664.Google Scholar
- J. Wang, B. Chen, L. Wei, Y. Liu (2017). Skyfire: Data-Driven Seed Generation for Fuzzing. Proc of the IEEE Symposium on Security and Privacy, S&P'17, 579-594.Google ScholarCross Ref
- H. Han, D. Oh, S.K. Cha (2019). CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines. Proc of the 26th Annual Network and Distributed System Security Symposium, NDSS'19.Google ScholarCross Ref
- S. Lee, H. Han, S.K. Cha, (2020). Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer. Proc of the 29th USENIX Security Symposium, USENIX Security'20, 2613-2630.Google Scholar
- Ecma-TechnicalCommittee. Test262: ECMAScript Test Suite. https://github. com/tc39/test262.Google Scholar
- G. Ye, Z. Tang, S.H. Tan, (2021). Automated Conformance Testing for JavaScript Engines Via Deep Compiler Fuzzing. Proc of the 42th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI'21.Google ScholarDigital Library
- M. Böhme, V. Pham, A. Roychoudhury (2016). Coverage-Based Greybox Fuzzing as Markov Chain. Proc of the ACM SIGSAC Conference on Computer and Communications Security, CCS'16, 1032-1043.Google ScholarDigital Library
- M. Böhme, V. Pham, M. Nguyen, A. Roychoudhury (2017). Directed Greybox Fuzzing. Proc of the ACM SIGSAC Conference on Computer and Communications Security, CCS'17, 2329-2344.Google ScholarDigital Library
- S. Gan, C. Zhang, X. Qin, (2018). CollAFL: Path Sensitive Fuzzing. Proc of the IEEE Symposium on Security and Privacy, S&P'18, 679-696.Google ScholarCross Ref
- J. Wang, B. Chen, L. Wei, Y. Liu (2019). Superion: Grammar-Aware Greybox Fuzzing. Proc of the 41st International Conference on Software Engineering, ICSE'19, 724-735.Google ScholarDigital Library
- T.J. Parr, R.W. Quong (1995). ANTLR: A Predicated-LL(k) Parser Generator. Softw. Pract. Exp., 25(7), 789-810.Google ScholarDigital Library
- H. Lin, J. Zhu, J. Peng, D. Zhu (2019). Deity: Finding Deep Rooted Bugs in JavaScript Engines. Proc of the 19th IEEE International Conference on Communication Technology, ICCT'19, 1585-1594.Google ScholarCross Ref
- Y. Wang, Q. Wang, W. Ding (2020). Research on Semantic-Aware Fuzzing for JavaScript Engine. Journal of Information Engineering University, 21(03), 316-324.Google Scholar
- S. Groß (2018). Fuzzil: Coverage Guided Fuzzing for Javascript Engines, Department of Informatics, Karlsruhe Institute of Technology.Google Scholar
- C. Holler, K. Herzig, A. Zeller (2012). Fuzzing with Code Fragments. Proc of the 21th USENIX Security Symposium, USENIX Security'12, 445-458.Google Scholar
- T. Guo, P. Zhang, An, (2013). GramFuzz: Fuzzing Testing of Web Brows¬ers Based On Grammar Analysis and Structural Mutation. Proc of the International Conference on Informatics & Applications, ICIA'13, 212-215.Google ScholarCross Ref
- S. Veggalam, S. Rawat, I. Haller, H. Bos (2016). IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming. Proc of the 21st European Symposium on Research in Computer Security, ESORICS'16, 581-601.Google ScholarCross Ref
- C. Aschermann, T. Frassetto, T. Holz, (2019). NAUTILUS: Fishing for Deep Bugs with Grammars. Proc of the 26th Annual Network and Distributed System Security Symposium, NDSS'19.Google ScholarCross Ref
- S. Park, W. Xu, I. Yun, (2020). Fuzzing JavaScript Engines with Aspect-Preserving Mutation. Proc of the IEEE Symposium on Security and Privacy, S&P'20, 1629-1642.Google ScholarCross Ref
- J. Park, S. An, D. Youn, (2021). JEST: N+1 -Version Differential Testing of Both JavaScript Engines and Specification. Proc of the 43rd International Conference on Software Engineering, ICSE'21, 13-24.Google Scholar
- Google. ClusterFuzz: Scalable Fuzzing Infrastructure. https://google.git hub.io/clusterfuzz/.Google Scholar
- Google. OSS-Fuzz: Continuous Fuzzing for Open Source Software. https:// google.github.io/oss-fuzz/.Google Scholar
- O. Levi. Pin - a Binary Instrumentation Tool. https://software.intel.com/en-us /articles/pin-a-dynamic-binary-instrumentation-tool.Google Scholar
- DynamoRIO. Dynamic Instrumentation Tool Platform. https://dynamorio.org/.Google Scholar
- S. Schumilo, C. Aschermann, R. Gawlik, (2017). KAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. Proc of the 26th USENIX Security Symposium, USENIX Security'17, 167-182.Google Scholar
- D. She, K. Pei, D. Epstein, (2019). NEUZZ: Efficient Fuzzing with Neural Program Smoothing. Proc of the IEEE Symposium on Security and Privacy, S&P'19, 803-817.Google ScholarCross Ref
- Y. Wang, L. Sun, Y. Wang, Z. Xue (2021). A Fuzzing Method for JIT Complier of JavaScript Engine. Communications Technology, 54(01), 175-180.Google Scholar
Index Terms
- Research on Fuzzing Technology for JavaScript Engines
Recommendations
SoFi: Reflection-Augmented Fuzzing for JavaScript Engines
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityJavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines ...
Automated conformance testing for JavaScript engines via deep compiler fuzzing
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and ImplementationJavaScript (JS) is a popular, platform-independent programming language. To ensure the interoperability of JS programs across different platforms, the implementation of a JS engine should conform to the ECMAScript standard. However, doing so is ...
Evaluating seed selection for fuzzing JavaScript engines
AbstractJavaScript (JS), as a platform-independent programming language, remains to be the most popular language over the years. However, popular JavaScript engines that have been widely utilized by web browsers to interpret JS code, have become the most ...
Comments