Fuzzing JavaScript Engines with Aspect-Preserving Mutation

Explore advanced techniques for fuzzing JavaScript engines through a conference talk that delves into aspect-preserving mutation. Learn about the challenges of finding JavaScript bugs and the special conditions required to uncover new vulnerabilities from existing ones. Discover the DIE (Dynamic analysis, Input generation, and Execution) overview, including preprocessing for typed-AST, type analysis through dynamic and static methods, and input generation. Examine aspect-preserving mutation techniques, focusing on type-preserving and structure-preserving mutations. Gain insights into the implementation process, real-world fuzzing of JS engines, and evaluation of the effectiveness of leveraging aspects. Analyze a case study on CVE-2019-0990 and compare the presented approach with state-of-the-art fuzzers. Enhance your understanding of advanced security testing methodologies for JavaScript engines in this informative IEEE presentation.

Everyone uses web browser (+ JS engine)
Finding JS bugs is hard
Motivating example • Special conditions are necessary to discover new bug from old ones
Aspects
DIE overview
Preprocessing for typed-AST
Type Analysis: dynamic analysis
Type Analysis: static analysis
Input generation
Aspect-preserving mutation
Type-preserving mutation
Structure-preserving mutation
Execution with instrumented JS engine
Implementation
Fuzzing JS engines in the wild
Evaluation: effectiveness of leveraging aspect
Case study: CVE-2019-0990
Evaluation: aspect preserving
Evaluation: validity of generated input
Evaluation: comparison w/ state-of-the-art fuzzers
Conclusion