Research On Fuzzing Technology For JavaScript Engines

The JavaScript engines is an important part of the browser.It adds a variety of rich dynamic interfaces to web pages and provides users with smooth and beautiful browsing effects.And it is the basis for the dynamic display of the entire browser.At present,there are endless attacks against JavaScript engines.Attackers use the JavaScript engine to hijack the browser to launch attacks such as horse hanging,XSS,and cookie hijacking,and even obtain the entire system permissions.So,security testing or vulnerability mining technology for JavaScript engines is currently a hot spot in industry and academia.However,due to the characteristics of large amount of code and complex logical structure in JavaScript engines,which cause serious difficulties for the security test of the JavaScript engines.And for JavaScript engines vulnerability mining,existing methods face problems such as slow testing speed,low efficiency in generating test cases,and low coverage,which cannot meet the vulnerability mining requirements of JavaScript engines.To solve the above problems,this paper studies the fuzzing testing technology for JavaScript parsing engine.Specifically,the main research contents of this paper include:1)A seed mutation model Tree Model based on the granularity of the syntax tree is proposed.This model is based on coverage guidance and fuzzes the JavaScript engine through syntax tree mutation.It uses syntax analysis tools to analysis the initial seeds to generate the abstract syntax trees,and then obtain the subtrees of the syntax tree to build a subtree pool.In the mutation stage,seeds are selected from the test case queue for syntax analysis to generate an abstract syntax tree,and subtrees are randomly selected from the subtree pool to perform subtree replacement mutation on the syntax tree,and generating new test cases for testing.Unlike AFL's mutation at the bit level,this model mutates seeds at the syntax tree level,which can generate test cases more effectively.And,the experiments show that compared with other JavaScript engine vulnerability mining tools,Tree Model has a certain improvement in vulnerability discovery capabilities and path coverage,which proves the effectiveness of this model.2)Aiming at the problem of how to reduce the error rate of JavaScript code generation,based on the research of 1),a subtree type-sensitive seed mutation enhancement strategy is further proposed,and the model ILS is implemented.ILS analyzes the JavaScript code on the path feedback fuzzing test framework,recognizes and classifies the subtrees of the syntax tree to build a pool of subtrees of the same type,and then uses the same type of subtree mutation to form a subtree type-sensitive variation strategy.This model can greatly improve the efficiency of test seeds,thereby driving higher code coverage and vulnerability discovery capabilities.We chose JavaScript engines vulnerability mining tools Superion and Code Alchemist for comparison,and experiment on three typical JavaScript engines(i.e.,Jerry Script,Cha Kra Core and JavaScript Core).The results show that ILS can effectively reduce the error rate of JavaScript seed generation,and can greatly improve the code coverage of the JavaScript engine,and has a higher vulnerability discovery ability.3)Aiming at the problem of mutation energy allocation in JavaScript engine fuzzing,a seed energy allocation strategy of subtree type-sensitive is proposed on the basis of 2)research.This strategy gives more energy to test seeds with shorter running time,more covered paths,new generated and higher path depths,and gives more energy to the types of subtrees that can discover new paths during the subtree mutation process,so that the excellent seeds have more energy,and improve the code coverage of the target program.Finally,it is compared with other JavaScript vulnerability mining tools.The experimental results prove that this strategy has higher code coverage and vulnerability discovery capabilities.In the end,we found 68 new Bugs that had not been discovered before in the JavaScript engines,which were confirmed and fixed by the manufacturer.