A lightweight and high-precision approach for bulky JavaScript engines fuzzing

Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of...

Full description

Saved in:
Bibliographic Details
Published in:IEEE ... International Conference on Trust, Security and Privacy in Computing and Communications (Online) pp. 982 - 989
Main Authors: Zhou, Lianpei, Xiao, Xi, Hu, Guangwu, Li, Hao, Wu, Xiangbo, Zhou, Tao
Format: Conference Proceeding
Language:English
Published: IEEE 01.11.2023
Subjects:
bulky JavaScript engines
Codes
Computer crashes
control flow information
coverage-guided fuzzing
critical functions
Dynamic scheduling
Fuzzing
Instruments
Privacy
Static analysis
ISSN:2324-9013
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of coverage feedback and target the vulnerable JIT compiler of Javascript engines, we presented our fuzzer, called LF(Light Fuzzer), a lightweight and high-precision fuzzer for bulky JavaScript engines fuzzing. First, LF advocates a technique to confine instrumentation to the JIT-related "critical functions" to mitigate collisions. Additionally, LF utilizes static analysis to establish dominant relationships between critical functions. Lastly, LF incorporates seed scheduling with feedback information of control flow at the function level to dynamically target JIT. These combined strategies make LF a lightweight and high-precision fuzzer for fuzzing bulky JavaScript engines. In our evaluation, LF outperforms the state-of-art coverage-guided JavaScript fuzzer DIE in different coverage types, and LF is also more effective in triggering unique crashes compared to DIE.
ISSN:2324-9013
DOI:10.1109/TrustCom60117.2023.00138