Study On Directed Fuzzing For Browser JavaScript Engine

With the continuous development of modern society,the network and various application software have become an indispensable part of people's lives,but various security vulnerabilities that follow have posed threats to users' property and information security.As the most commonly used application software in people's daily browser,the number of vulnerabilities disclosed in its embedded JavaScript engine has been increasing year after year.However,due to the large amount of code,complex logic,and strict input format of the engine itself,there are big problems in using existing vulnerability mining methods and tools to test it,and the effectiveness is not high.This paper analyzes the principle of the existing vulnerabilities in the browser JavaScript engine,summarizes and improves the existing testing methods,and proposes a more targeted fuzzing method.There are two main problems with existing JavaScript engine vulnerability mining tools.The first is that the engine input space is huge.Based on the generated fuzzing test system,it is difficult to generate effective test cases under the constraints of reasonable time and resource cost;the second is that Most of the existing fuzzing systems lack the summary and utilization of known vulnerabilities.The mutation direction of the mutation-based fuzzing test system is still very blind,and the effectiveness is low,and the engine has strict requirements on the grammar of the input file,and the strategy of random mutation will lead to the pass rate of the generated seed syntax is very low,and the engine cannot be tested in depth.In response to the above problems,the following work has been mainly carried out:1.In order to summarize the vulnerability model and narrow the search space for fuzzing testing,this article investigates the engine vulnerabilities disclosed in recent years,and classifies some of the vulnerabilities that cause errors,the call stack at the time of the crash,and the execution of engine functions into one Family,extract the underlying engine functions related to family characteristics as the main test target of the fuzzing test,that is,the directed target.2.Aiming at the problem of low pass rate of seed grammar generated by random mutation,this paper combines the characteristics of JavaScript language and engine to propose four different mutation strategies: single point mutation,cross mutation,intercept mutation,and JIT mutation.3.Differentiate and calculate the weight of each edge in the function call graph generated by static analysis,filter the calls of related library functions,and reduce the complexity while improving the accuracy of distance calculation.4.Design a seed grading strategy,combine the two indicators of distance and cover function similarity,judge the priority of seeds,use simulated annealing algorithm for energy scheduling,give higher priority seeds more chances of mutation,and use adaptation the performance algorithm uses different granularity mutation strategies to mutate different seeds to improve the efficiency of guidance.In order to verify the effectiveness of the above methods,this paper designs and implements Hunter,a directed fuzzing test system,and verifies the correctness and effectiveness of the system implementation through experiments.The experimental results show that the Hunter system can increase the grammar pass rate of generating seed to 91.43%,and it has good direction performance.