A lightweight and high-precision approach for bulky JavaScript engines fuzzing

Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE ... International Conference on Trust, Security and Privacy in Computing and Communications (Online) S. 982 - 989
Hauptverfasser: Zhou, Lianpei, Xiao, Xi, Hu, Guangwu, Li, Hao, Wu, Xiangbo, Zhou, Tao
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: IEEE 01.11.2023
Schlagworte:
bulky JavaScript engines
Codes
Computer crashes
control flow information
coverage-guided fuzzing
critical functions
Dynamic scheduling
Fuzzing
Instruments
Privacy
Static analysis
ISSN:2324-9013
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of coverage feedback and target the vulnerable JIT compiler of Javascript engines, we presented our fuzzer, called LF(Light Fuzzer), a lightweight and high-precision fuzzer for bulky JavaScript engines fuzzing. First, LF advocates a technique to confine instrumentation to the JIT-related "critical functions" to mitigate collisions. Additionally, LF utilizes static analysis to establish dominant relationships between critical functions. Lastly, LF incorporates seed scheduling with feedback information of control flow at the function level to dynamically target JIT. These combined strategies make LF a lightweight and high-precision fuzzer for fuzzing bulky JavaScript engines. In our evaluation, LF outperforms the state-of-art coverage-guided JavaScript fuzzer DIE in different coverage types, and LF is also more effective in triggering unique crashes compared to DIE.
ISSN:2324-9013
DOI:10.1109/TrustCom60117.2023.00138