SoFi: Reflection-augmented fuzzing for JavaScript engines

JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically...

Full description

Saved in:
Bibliographic Details
Main Authors: HE, Xiaoyu, XIE, Xiaofei, LI, Yuekang, SUN, Jianwen, LI, Feng, ZOU, Wei, LIU, Yang, YU, Lei, ZHOU, Jianhua, SHI, Wenchang, HUO, Wei
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2021
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/6939
https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-7942
record_format dspace
spelling sg-smu-ink.sis_research-79422022-03-04T09:13:29Z SoFi: Reflection-augmented fuzzing for JavaScript engines HE, Xiaoyu XIE, Xiaofei LI, Yuekang SUN, Jianwen LI, Feng ZOU, Wei LIU, Yang YU, Lei ZHOU, Jianhua SHI, Wenchang HUO, Wei JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs.We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned. 2021-11-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6939 info:doi/10.1145/3460120.3484823 https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University fuzzing security vulnerability OS and Networks Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic fuzzing
security
vulnerability
OS and Networks
Software Engineering
spellingShingle fuzzing
security
vulnerability
OS and Networks
Software Engineering
HE, Xiaoyu
XIE, Xiaofei
LI, Yuekang
SUN, Jianwen
LI, Feng
ZOU, Wei
LIU, Yang
YU, Lei
ZHOU, Jianhua
SHI, Wenchang
HUO, Wei
SoFi: Reflection-augmented fuzzing for JavaScript engines
description JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs.We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned.
format text
author HE, Xiaoyu
XIE, Xiaofei
LI, Yuekang
SUN, Jianwen
LI, Feng
ZOU, Wei
LIU, Yang
YU, Lei
ZHOU, Jianhua
SHI, Wenchang
HUO, Wei
author_facet HE, Xiaoyu
XIE, Xiaofei
LI, Yuekang
SUN, Jianwen
LI, Feng
ZOU, Wei
LIU, Yang
YU, Lei
ZHOU, Jianhua
SHI, Wenchang
HUO, Wei
author_sort HE, Xiaoyu
title SoFi: Reflection-augmented fuzzing for JavaScript engines
title_short SoFi: Reflection-augmented fuzzing for JavaScript engines
title_full SoFi: Reflection-augmented fuzzing for JavaScript engines
title_fullStr SoFi: Reflection-augmented fuzzing for JavaScript engines
title_full_unstemmed SoFi: Reflection-augmented fuzzing for JavaScript engines
title_sort sofi: reflection-augmented fuzzing for javascript engines
publisher Institutional Knowledge at Singapore Management University
publishDate 2021
url https://ink.library.smu.edu.sg/sis_research/6939
https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf
_version_ 1770576163529293824