SoFi: Reflection-augmented fuzzing for JavaScript engines
JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically...
Saved in:
Main Authors: | , , , , , , , , , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2021
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/6939 https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-7942 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-79422022-03-04T09:13:29Z SoFi: Reflection-augmented fuzzing for JavaScript engines HE, Xiaoyu XIE, Xiaofei LI, Yuekang SUN, Jianwen LI, Feng ZOU, Wei LIU, Yang YU, Lei ZHOU, Jianhua SHI, Wenchang HUO, Wei JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs.We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned. 2021-11-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6939 info:doi/10.1145/3460120.3484823 https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University fuzzing security vulnerability OS and Networks Software Engineering |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
fuzzing security vulnerability OS and Networks Software Engineering |
spellingShingle |
fuzzing security vulnerability OS and Networks Software Engineering HE, Xiaoyu XIE, Xiaofei LI, Yuekang SUN, Jianwen LI, Feng ZOU, Wei LIU, Yang YU, Lei ZHOU, Jianhua SHI, Wenchang HUO, Wei SoFi: Reflection-augmented fuzzing for JavaScript engines |
description |
JavaScript engines have been shown prone to security vulnerabilities, which can lead to serious consequences due to their popularity. Fuzzing is an effective testing technique to discover vulnerabilities. The main challenge of fuzzing JavaScript engines is to generate syntactically and semantically valid inputs such that deep functionalities can be explored. However, due to the dynamic nature of JavaScript and the special features of different engines, it is quite challenging to generate semantically meaningful test inputs.We observed that state-of-the-art semantic-aware JavaScript fuzzers usually require manually written rules to analyze the semantics for a JavaScript engine, which is labor-intensive, incomplete and engine-specific. Moreover, the error rate of generated test cases is still high. Another challenge is that existing fuzzers cannot generate new method calls that are not included in the initial seed corpus or pre-defined rules, which limits the bug-finding capability. To this end, we propose a novel semantic-aware fuzzing technique named SoFi. To guarantee the validity of the generated test cases, SoFi adopts a fine-grained program analysis to identify available variables and infer types of these variables for the mutation. Moreover, an automatic repair strategy is proposed to repair syntax/semantic errors in invalid test cases. To improve the exploration capability of SoFi, we propose a reflection-based analysis to identify unseen attributes and methods of objects, which are further used in the mutation. With fine-grained analysis and reflection-based augmentation, SoFi can generate more valid and diverse test cases. Besides, SoFi is general in different JavaScript engines without any manual configuration (e.g., the grammar rules). The evaluation results have shown that SoFi outperforms state-of-the-art techniques in generating semantically valid inputs, improving code coverage and detecting more bugs. SoFi discovered 51 bugs in popular JavaScript engines, 28 of which have been confirmed or fixed by the developers and 10 CVE IDs have been assigned. |
format |
text |
author |
HE, Xiaoyu XIE, Xiaofei LI, Yuekang SUN, Jianwen LI, Feng ZOU, Wei LIU, Yang YU, Lei ZHOU, Jianhua SHI, Wenchang HUO, Wei |
author_facet |
HE, Xiaoyu XIE, Xiaofei LI, Yuekang SUN, Jianwen LI, Feng ZOU, Wei LIU, Yang YU, Lei ZHOU, Jianhua SHI, Wenchang HUO, Wei |
author_sort |
HE, Xiaoyu |
title |
SoFi: Reflection-augmented fuzzing for JavaScript engines |
title_short |
SoFi: Reflection-augmented fuzzing for JavaScript engines |
title_full |
SoFi: Reflection-augmented fuzzing for JavaScript engines |
title_fullStr |
SoFi: Reflection-augmented fuzzing for JavaScript engines |
title_full_unstemmed |
SoFi: Reflection-augmented fuzzing for JavaScript engines |
title_sort |
sofi: reflection-augmented fuzzing for javascript engines |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2021 |
url |
https://ink.library.smu.edu.sg/sis_research/6939 https://ink.library.smu.edu.sg/context/sis_research/article/7942/viewcontent/3460120.3484823.pdf |
_version_ |
1770576163529293824 |