Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
11-2021
Abstract
JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs.We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned.
Keywords
fuzzing, security, vulnerability
Discipline
OS and Networks | Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Conference, November 15-19
First Page
2229
Last Page
2242
ISBN
9781450384544
Identifier
10.1145/3460120.3484823
Publisher
Association for Computing Machinery
City or Country
Virtual Conference
Citation
HE, Xiaoyu; XIE, Xiaofei; LI, Yuekang; SUN, Jianwen; LI, Feng; ZOU, Wei; LIU, Yang; YU, Lei; ZHOU, Jianhua; SHI, Wenchang; and HUO, Wei.
SoFi: Reflection-augmented fuzzing for JavaScript engines. (2021). Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Conference, November 15-19. 2229-2242.
Available at: https://ink.library.smu.edu.sg/sis_research/6939
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.