Jit-Picking: Differential Fuzzing of JavaScript Engines

Bernhard, Lukas and Scharnowski, Tobias and Schloegel, Moritz and Blazytko, Tim and Holz, Thorsten
(2022) Jit-Picking: Differential Fuzzing of JavaScript Engines.
In: CCS 2022.
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
2022-CCS-JIT-Fuzzing.pdf
Download (720kB) | Preview

Abstract

Modern JavaScript engines that power websites and even full applications on the Web are driven by the need for an increasingly fast and snappy user experience. These engines use several complex and potentially error-prone mechanisms to optimize their performance. Unsurprisingly, the inevitable complexity results in a huge attack surface and various types of software vulnerabilities. On the defender’s side, fuzz testing has proven to be an invaluable tool for uncovering different kinds of memory safety violations. Although it is difficult to test interpreters and JIT compilers in an automated way, recent proposals for input generation based on grammars or target-specific intermediate representations helped uncovering many software faults. However, subtle logic bugs and miscomputations that arise from optimization passes in JIT engines continue to elude state-of-the-art testing methods. While such flaws might seem unremarkable at first glance, they are often still exploitable in practice. In this paper, we propose a novel technique for effectively uncovering this class of subtle bugs during fuzzing. The key idea is to take advantage of the tight coupling between a JavaScript engine’s interpreter and its corresponding JIT compiler as a domain-specific and generic bug oracle, which in turn yields a highly sensitive fault detection mechanism. We have designed and implemented a prototype of the proposed approach in a tool called Jit-Picker. In an empirical evaluation, we show that our method enables us to detect subtle software faults that prior work missed. In total, we uncovered 32 bugs that were not publicly known and received a $10.000 bug bounty from Mozilla as a reward for our contributions to JIT engine security.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Thorsten Holz (TH)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Thorsten Holz
Date Deposited: 09 Sep 2022 09:53
Last Modified: 09 Sep 2022 09:53
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3773

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.