JIT-Picking: Differential Fuzzing of JavaScript Engines

Modern JavaScript engines that power websites and even full applications on the Web are driven by the need for an increasingly fast and snappy user experience. These engines use several complex and potentially error-prone mechanisms to optimize their performance. Unsurprisingly, the inevitable complexity results in a huge attack surface and varioustypes of software vulnerabilities. On the defender's side, fuzz testing has proven to be an invaluable tool for uncovering different kinds of memory safety violations. Although it is difficult to test interpreters and JIT compilers in an automated way, recent proposals for input generation based on grammars or target-specific intermediate representations helped uncovering many software faults. However, subtle logic bugs and miscomputations that arise from optimization passes in JIT engines continue to elude state-of-the-art testing methods. While such flaws might seem unremarkable at first glance, they are often still exploitable in practice. In this paper, we propose a novel technique for effectively uncovering this class of subtle bugs during fuzzing. The key idea is to take advantage of the tight coupling between a JavaScript engine's interpreter and its corresponding JIT compiler as a domain-specific and generic bug oracle, which in turn yields a highly sensitive fault detection mechanism. We have designed and implemented a prototype of the proposed approach in a tool called JIT-Picker. In an empirical evaluation, we show that our method enables us to detect subtle software faults that prior work missed. In total, we uncovered 32 bugs that were not publicly known and received a $10.000 bug bounty from Mozilla as a reward for our contributions to JIT engine security.

[1]  Giovanni Vigna,et al.  Token-Level Fuzzing , 2023, USENIX Security Symposium.

[2]  Xiaofei Xie,et al.  SoFi: Reflection-Augmented Fuzzing for JavaScript Engines , 2021, CCS.

[3]  Chaojing Tang,et al.  Igor: Crash Deduplication Through Root-Cause Clustering , 2021, CCS.

[4]  Jangwoo Kim,et al.  DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[5]  Wenke Lee,et al.  One Engine to Fuzz ’em All: Generic Language Processor Testing with Semantic Validation , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[6]  Koushik Sen,et al.  Growing a Test Corpus with Bonsai Fuzzing , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).

[7]  Sukyoung Ryu,et al.  JEST: N+1-Version Differential Testing of Both JavaScript Engines and Specification , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[8]  Marcelo d'Amorim,et al.  Exposing bugs in JavaScript engines through test transplantation and differential testing , 2020, Software Quality Journal.

[9]  Sukyoung Ryu,et al.  JISET: JavaScript IR-based Semantics Extraction Toolchain , 2020, 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[10]  Leonardo Querzoni,et al.  Fuzzing Binaries for Memory Safety Errors with QASan , 2020, 2020 IEEE Secure Development (SecDev).

[11]  Cristiano Giuffrida,et al.  ParmeSan: Sanitizer-guided Greybox Fuzzing , 2020, USENIX Security Symposium.

[12]  Taesoo Kim,et al.  Fuzzing JavaScript Engines with Aspect-preserving Mutation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  Sooel Son,et al.  Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer , 2020, USENIX Security Symposium.

[14]  Marc Feeley,et al.  Property caches revisited , 2019, CC.

[15]  Ahmad-Reza Sadeghi,et al.  NAUTILUS: Fishing for Deep Bugs with Grammars , 2019, NDSS.

[16]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Yang Liu,et al.  Superion: Grammar-Aware Greybox Fuzzing , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[18]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[19]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[20]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[21]  Salvatore J. Stolfo,et al.  NEZHA: Efficient Domain-Independent Differential Testing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[22]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[23]  Zhendong Su,et al.  Coverage-directed differential testing of JVM implementations , 2016, PLDI.

[24]  Michael Pradel,et al.  Performance Issues and Optimizations in JavaScript: An Empirical Study , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[25]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[26]  Sung-Jae Lee,et al.  Ultra lightweight JavaScript engine for internet of things , 2015, SPLASH.

[27]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[28]  Zhendong Su,et al.  Compiler validation via equivalence modulo inputs , 2014, PLDI.

[29]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[30]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[32]  Alex Groce,et al.  Swarm testing , 2012, ISSTA 2012.

[33]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[34]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[35]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[36]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[37]  Thorsten Holz,et al.  Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types , 2021, USENIX Security Symposium.

[38]  Mathias Payer,et al.  FuZZan: Efficient Sanitizer Metadata Design for Fuzzing , 2020, USENIX Annual Technical Conference.

[39]  Yong Tang,et al.  EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit , 2020, USENIX Security Symposium.

[40]  Andrea Fioraldi,et al.  AFL++ : Combining Incremental Steps of Fuzzing Research , 2020, WOOT @ USENIX Security Symposium.

[41]  Thorsten Holz,et al.  AURORA: Statistical Crash Analysis for Automated Root Cause Explanation , 2020, USENIX Security Symposium.

[42]  Sang Kil Cha,et al.  CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines , 2019, NDSS.

[43]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[44]  Thorsten Holz,et al.  GRIMOIRE: Synthesizing Structure while Fuzzing , 2019, USENIX Security Symposium.

[45]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[46]  Thorsten Holz,et al.  SoK: Make JIT-Spray Great Again , 2018, WOOT @ USENIX Security Symposium.

[47]  Crispin Cowan,et al.  StackGuard: Simple Stack Smash Protection for GCC , 2004 .