research-article

Research on Fuzzing Technology for JavaScript Engines

Authors:
Ye Tian

State Key Laboratory of Mathematical Engineering and Advanced Computing, China and State Key Laboratory of Mathematical Engineering and Advanced Computing, China

State Key Laboratory of Mathematical Engineering and Advanced Computing, China and State Key Laboratory of Mathematical Engineering and Advanced Computing, China
View Profile

,
Xiaojun Qin

State Key Laboratory of Mathematical Engineering and Advanced Computing, China

State Key Laboratory of Mathematical Engineering and Advanced Computing, China
View Profile

,
Shuitao Gan

State Key Laboratory of Mathematical Engineering and Advanced Computing, China

State Key Laboratory of Mathematical Engineering and Advanced Computing, China
View Profile

CSAE '21: Proceedings of the 5th International Conference on Computer Science and Application EngineeringOctober 2021Article No.: 32Pages 1–7https://doi.org/10.1145/3487075.3487107

Published:07 December 2021Publication History

CSAE '21: Proceedings of the 5th International Conference on Computer Science and Application Engineering

Pages 1–7

ABSTRACT

JavaScript engine is the core component of web browsers, whose security issues are one of the critical aspects of the overall Web Eco-Security. Fuzzing technology, as an efficient software testing approach, has been widely applied to detecting vulnerabilities in different JavaScript engines, which is a security research hotspot at present. Based on systematical dissection of existing fuzzing methods, this paper reviews the development and technical ideas of JavaScript Engine Fuzzing combined with taxonomy, proposes a general framework of JavaScript Engine Fuzzing and analyzes the key techniques involved. Finally, we discuss the core issues that restrict efficiency in current research and present an outlook on the future trends of JavaScript Engine Fuzzing.

References

W3Techs. Usage Statistics of Javascript for Websites. https://w3techs.com /technologies/details/cp-javascript.Google Scholar
Google. V8: Google's Open Source High-Performance JavaScript and WebAssembly Engine. https://v8.dev/.Google Scholar
Microsoft. ChakraCore: The Core Part of the Chakra JavaScript Engine that Powers Microsoft Edge. https://github.com/microsoft/ChakraCore.Google Scholar
Apple. JavaScriptCore: The Built-In JavaScript Engine for WebKit. https://trac. webkit.org/wiki/JavaScriptCore.Google Scholar
Mozilla. SpiderMonkey: The JavaScript Engine for Firefox. https://developer. mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.Google Scholar
Samsung. Jerryscript: JavaScript Engine for the Internet of Things. https:// github.com/jerryscript-project/jerryscript.Google Scholar
B.P. Miller, L. Fredriksen, B. So (1990). An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM, 33(12), 32-44.Google ScholarDigital Library
Ecma-International. ECMAScript® 2021 Language Specification. https://www. ecma-international.org/ecma-262/.Google Scholar
H. Lin, J. Peng, S. Zhao, (2019). Survey On JavaScript Engine Vulnerability Detection. Computer Engineering and Applications, 55(11), 16-24.Google Scholar
N. Nagappan, T. Ball (2005). Static Analysis Tools as Early Indicators of Pre-Release Defect Density. Proc of the 27th International Conference on Software Engineering, ICSE'05, 580-586.Google Scholar
Synopsys. Coverity Scan Static Analysis. https://scan.coverity.com.Google Scholar
CyberRes. Fortify Static Code Analyzer. https://www.microfocus.com/en-us /cyberres/application-security/static-code-analyzer.Google Scholar
Perforce. Klocwork: Best Static Code Analyzer for Developer Productivity, SAST, and DevOps/DevSecOps. https://www.perforce.com/products/klocwork.Google Scholar
D.E. Denning (1976). A Lattice Model of Secure Information Flow. Communications of the ACM, 19(5), 236-243.Google ScholarDigital Library
S. Gan, C. Zhang, P. Chen, (2020). GREYONE: Data Flow Sensitive Fuzzing. Proc of the 29th USENIX Security Symposium, USENIX Security'20, 2577-2594.Google Scholar
J.C. King (1976). Symbolic Execution and Program Testing. Communications of the ACM, 19(7), 385-394.Google ScholarDigital Library
R. Baldoni, E. Coppa, D.C. D'Elia, (2018). A Survey of Symbolic Execution Techniques. ACM Computing Surveys, 51(3), 50.Google ScholarDigital Library
C. Omar, J. Aldrich (2016). Programmable Semantic Fragments: The Design and Implementation of Typy. Proc of the ACM SIGPLAN Conference on Generative Programming: Concepts and Experiences, GPCE'16, 81-92.Google ScholarDigital Library
F. Brown, S. Narayan, R.S. Wahby, (2017). Finding and Preventing Bugs in JavaScript Bindings. Proc of the IEEE Symposium on Security and Privacy (S&P'17), 559-578.Google ScholarCross Ref
G. Maisuradze, M. Backes, C. Rossow (2017). Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code. Proc of the 24th Annual Network and Distributed System Security Symposium, NDSS'2017.Google ScholarCross Ref
P. Oehlert (2005). Violating Assumptions with Fuzzing. IEEE Secur. Priv., 3(2), 58-62.Google ScholarDigital Library
P. Godefroid, M.Y. Levin, D.A. Molnar (2012). SAGE: Whitebox Fuzzing for Security Testing. Communications of the ACM, 55(3), 40-44.Google ScholarDigital Library
R. Swiecki, F. Gröbert. Honggfuzz. https://github.com/google/honggfuzz.Google Scholar
M. Zalewski. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/.Google Scholar
K. Serebryany (2016). Continuous Fuzzing with libFuzzer and AddressSanitizer. Proc of the IEEE Cybersecurity Development, SecDev'16, 157.Google ScholarCross Ref
M. Eddington. Peach Fuzzing Platform. http://community.peachfuzzer.com /WhatIsPeach.html.Google Scholar
M. Sutton. Filefuzz. http://osdir.com/ml/security.securiteam/2005-09/msg0007.Google Scholar
V.J.M. Manes, H. Han, C. Han, (2019). The Art, Science, and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering, 1.Google Scholar
MozillaSecurity. JSfunfuzz. https://github.com/MozillaSecurity/funfuzz.Google Scholar
J. Patra, M. Pradel (2016). Learning to Fuzz: Application-Independent Fuzz Testing with Probabilistic, Generative Models of Input Data. Proc of the Tech. Rep. TUD-CS-2016-14664.Google Scholar
J. Wang, B. Chen, L. Wei, Y. Liu (2017). Skyfire: Data-Driven Seed Generation for Fuzzing. Proc of the IEEE Symposium on Security and Privacy, S&P'17, 579-594.Google ScholarCross Ref
H. Han, D. Oh, S.K. Cha (2019). CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines. Proc of the 26th Annual Network and Distributed System Security Symposium, NDSS'19.Google ScholarCross Ref
S. Lee, H. Han, S.K. Cha, (2020). Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer. Proc of the 29th USENIX Security Symposium, USENIX Security'20, 2613-2630.Google Scholar
Ecma-TechnicalCommittee. Test262: ECMAScript Test Suite. https://github. com/tc39/test262.Google Scholar
G. Ye, Z. Tang, S.H. Tan, (2021). Automated Conformance Testing for JavaScript Engines Via Deep Compiler Fuzzing. Proc of the 42th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI'21.Google ScholarDigital Library
M. Böhme, V. Pham, A. Roychoudhury (2016). Coverage-Based Greybox Fuzzing as Markov Chain. Proc of the ACM SIGSAC Conference on Computer and Communications Security, CCS'16, 1032-1043.Google ScholarDigital Library
M. Böhme, V. Pham, M. Nguyen, A. Roychoudhury (2017). Directed Greybox Fuzzing. Proc of the ACM SIGSAC Conference on Computer and Communications Security, CCS'17, 2329-2344.Google ScholarDigital Library
S. Gan, C. Zhang, X. Qin, (2018). CollAFL: Path Sensitive Fuzzing. Proc of the IEEE Symposium on Security and Privacy, S&P'18, 679-696.Google ScholarCross Ref
J. Wang, B. Chen, L. Wei, Y. Liu (2019). Superion: Grammar-Aware Greybox Fuzzing. Proc of the 41st International Conference on Software Engineering, ICSE'19, 724-735.Google ScholarDigital Library
T.J. Parr, R.W. Quong (1995). ANTLR: A Predicated-LL(k) Parser Generator. Softw. Pract. Exp., 25(7), 789-810.Google ScholarDigital Library
H. Lin, J. Zhu, J. Peng, D. Zhu (2019). Deity: Finding Deep Rooted Bugs in JavaScript Engines. Proc of the 19th IEEE International Conference on Communication Technology, ICCT'19, 1585-1594.Google ScholarCross Ref
Y. Wang, Q. Wang, W. Ding (2020). Research on Semantic-Aware Fuzzing for JavaScript Engine. Journal of Information Engineering University, 21(03), 316-324.Google Scholar
S. Groß (2018). Fuzzil: Coverage Guided Fuzzing for Javascript Engines, Department of Informatics, Karlsruhe Institute of Technology.Google Scholar
C. Holler, K. Herzig, A. Zeller (2012). Fuzzing with Code Fragments. Proc of the 21th USENIX Security Symposium, USENIX Security'12, 445-458.Google Scholar
T. Guo, P. Zhang, An, (2013). GramFuzz: Fuzzing Testing of Web Brows¬ers Based On Grammar Analysis and Structural Mutation. Proc of the International Conference on Informatics & Applications, ICIA'13, 212-215.Google ScholarCross Ref
S. Veggalam, S. Rawat, I. Haller, H. Bos (2016). IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming. Proc of the 21st European Symposium on Research in Computer Security, ESORICS'16, 581-601.Google ScholarCross Ref
C. Aschermann, T. Frassetto, T. Holz, (2019). NAUTILUS: Fishing for Deep Bugs with Grammars. Proc of the 26th Annual Network and Distributed System Security Symposium, NDSS'19.Google ScholarCross Ref
S. Park, W. Xu, I. Yun, (2020). Fuzzing JavaScript Engines with Aspect-Preserving Mutation. Proc of the IEEE Symposium on Security and Privacy, S&P'20, 1629-1642.Google ScholarCross Ref
J. Park, S. An, D. Youn, (2021). JEST: N+1 -Version Differential Testing of Both JavaScript Engines and Specification. Proc of the 43rd International Conference on Software Engineering, ICSE'21, 13-24.Google Scholar
Google. ClusterFuzz: Scalable Fuzzing Infrastructure. https://google.git hub.io/clusterfuzz/.Google Scholar
Google. OSS-Fuzz: Continuous Fuzzing for Open Source Software. https:// google.github.io/oss-fuzz/.Google Scholar
O. Levi. Pin - a Binary Instrumentation Tool. https://software.intel.com/en-us /articles/pin-a-dynamic-binary-instrumentation-tool.Google Scholar
DynamoRIO. Dynamic Instrumentation Tool Platform. https://dynamorio.org/.Google Scholar
S. Schumilo, C. Aschermann, R. Gawlik, (2017). KAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. Proc of the 26th USENIX Security Symposium, USENIX Security'17, 167-182.Google Scholar
D. She, K. Pei, D. Epstein, (2019). NEUZZ: Efficient Fuzzing with Neural Program Smoothing. Proc of the IEEE Symposium on Security and Privacy, S&P'19, 803-817.Google ScholarCross Ref
Y. Wang, L. Sun, Y. Wang, Z. Xue (2021). A Fuzzing Method for JIT Complier of JavaScript Engine. Communications Technology, 54(01), 175-180.Google Scholar

Index Terms

Research on Fuzzing Technology for JavaScript Engines

Index terms have been assigned to the content through auto-classification.

Recommendations

SoFi: Reflection-Augmented Fuzzing for JavaScript Engines
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines ...
Read More
Automated conformance testing for JavaScript engines via deep compiler fuzzing
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation

JavaScript (JS) is a popular, platform-independent programming language. To ensure the interoperability of JS programs across different platforms, the implementation of a JS engine should conform to the ECMAScript standard. However, doing so is ...
Read More
Evaluating seed selection for fuzzing JavaScript engines
Abstract
JavaScript (JS), as a platform-independent programming language, remains to be the most popular language over the years. However, popular JavaScript engines that have been widely utilized by web browsers to interpret JS code, have become the most ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CSAE '21: Proceedings of the 5th International Conference on Computer Science and Application Engineering
October 2021
660 pages
ISBN:9781450389853
DOI:10.1145/3487075
Editors:
Ali Emrouznejad,
Jui-Sheng (Rayson) Chou
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 December 2021
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Browser security
Fuzzing
JavaScript engine
Vulnerability detection
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate368of770submissions,48%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 221
  Total Downloads
- Downloads (Last 12 months)88
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Research on Fuzzing Technology for JavaScript Engines

CSAE '21: Proceedings of the 5th International Conference on Computer Science and Application Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

SoFi: Reflection-Augmented Fuzzing for JavaScript Engines

Automated conformance testing for JavaScript engines via deep compiler fuzzing

Evaluating seed selection for fuzzing JavaScript engines