This talk will discuss a new approach for guided fuzzing of JavaScript (and browser) engines. In contrast to existing fuzzers, which commonly operate on syntactical elements such as the abstract syntax tree (AST), the presented approach performs mutations on a custom, bytecode-like intermediate language, named FuzzIL, which is afterwards translated to JavaScript. The fuzzer has found a number of vulnerabilities and will be open-sourced.
JavaScript engines, and especially just-in-time (JIT) compilers used by those, are becoming more and more interesting for attackers as vulnerabilities found therein are often powerful enough to bypass all existing mitigations fast and reliably. As such there is an interest in detecting these vulnerabilities in an automated fashion, for example through fuzzing.
(Coverage-)guided fuzzing, which has shown promising results in many domains, commonly requires a mutation-based fuzzing approach to make use of the collected feedback. To perform guided fuzzing on scripting engines it is thus first necessary to define semantically useful mutations on program code. In contrast to existing approaches which mutate syntactical elements such as the textual representation of code or a syntax tree, the presented approach defines mutations on a newly designed intermediate language (IL) on which, due to its restricted form, mutations of control and data flow can easily be performed. This reflects the fact that the syntactical properties of a program are generally irrelevant. Further, the proposed system is able to generate semantically valid samples with a high probability. This is important as it avoids the need to wrap generated code into try-catch constructs which can negatively affect the engine's behavior, especially that of JIT compilers.
An initial implementation of the proposed system was able to identify exploitable, previously unknown security vulnerabilities inside the JavaScript engines of the Safari and Firefox web browsers, including a bug in the register allocator in Firefox's JIT compiler which was used during the hack2win competition.
The talk will first discuss some JavaScript fuzzing background, then explain the design of a JavaScript fuzzer based on a custom intermediate language and how said language can be mutated and converted to JavaScript. Finally, some aspects of the implementation will be explained to serve as documentation for potential users of the released fuzzer.
Samuel Groß is an independent security researcher and, in his spare time, a Master's student at Karlsruhe Institute of Technology. He has been researching browser security for some years now and has published multiple articles on the subject, including a Phrack paper about JavaScript engine exploitation techniques at the example of JavaScriptCore, the JavaScript engine inside WebKit/Safari. He successfully participated in the yearly Pwn2Own contest in 2017 and 2018, both times demonstrating a remote exploit against Safari which also gained root or kernel-mode code execution on the underlying macOS system. Recently he has started offering trainings on browser exploitation with a focus on JavaScript engines and JIT compilers.
