Samuel Groß and Carl Smith

Advancements in JavaScript Engine Fuzzing


What’s new in JavaScript engine fuzzing, and what might still be to come? This talk will dive into the unique challenges and opportunities of JavaScript engine fuzzing. For example, while the bugs typically found in modern JavaScript engines often require complex interactions to trigger, the nature of JavaScript also makes it possible to use features like runtime introspection to generate smarter testcases. Various new fuzzing techniques specifically for dynamic language interpreters will be discussed and have been implemented in the open-source fuzzer Fuzzilli. Along the way, some noteworthy bugs will also be presented.

Fuzzing dynamic language interpreters such as JavaScript engines remains an interesting research topic. This talk will discuss recent advancements in Fuzzilli, an open-source JavaScript engine fuzzer that has found hundreds of bugs in widely-used Javascript engines such as V8, the engine powering Google Chrome.

After a brief introduction of Fuzzilli and its basic functionality, this talk will discuss some novel mutators that have recently been added to Fuzzilli and which all make use of the dynamic nature of JavaScript, in particular its ability for runtime introspection, to generate smarter testcases. Further, the talk will show how using custom runtime feedback can also improve generative, not just mutation-based, fuzzing.

Along the way, some noteworthy bugs found by Fuzzilli in the recent past will be presented, and contrasted to some bug types, such as concurrency related issues, that remain hard to find through fuzzing. The talk closes by looking at possible future advancements in Fuzzilli specifically and dynamic language fuzzing in general.


Samuel Groß

After working at Google Project Zero since 2019 and researching browser-based and 0-click attacks, Samuel now leads the V8 Security Team inside Google where he develops innovative security features for the V8 JavaScript Engine together with his team. Before joining Google, Samuel worked as an independent security researcher, during which he participated in pwn2own and published two Phrack articles on JavaScript engine exploitation.

Carl Smith

Carl Smith is a Security Engineer on Google's V8 Security Team. He previously interned at Exodus Intelligence and Google Project Zero. He is interested in fuzzing, compilers and security research. He can be reached on twitter or mastodon: cffsmith@ /