FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler

Junjie Wang; Zhiyi Zhang; Shuang Liu; Xiaoning Du; Junjie Chen

FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler

Junjie Wang
, Zhiyi Zhang
, Shuang Liu
, Xiaoning Du
, Junjie Chen

Department of Software Systems & Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

39 Citations (Scopus)

Abstract

We present a novel fuzzing technique, FuzzJIT, for exposing JIT compiler bugs in JavaScript engines, based on our insight that JIT compilers shall only speed up the execution but never change the execution result of JavaScript code. FuzzJIT can activate the JIT compiler for every test case and acutely capture any execution discrepancy caused by JIT compilers. The key to success is the design of an input wrapping template, which proactively activates the JIT compiler and makes the generated samples oracle-aware themselves and the oracle is tested during execution spontaneously. We also design a set of mutation strategies to emphasize program elements promising in revealing JIT compiler bugs. FuzzJIT drills to JIT compilers and at the same time retains the high efficiency of fuzzing. We have implemented the design and applied the prototype to find new JIT compiler bugs in four mainstream JavaScript engines. In one month, ten, five, two, and 16 new bugs are exposed in JavaScriptCore, V8, SpiderMonkey, and ChakraCore, respectively, with three demonstrated exploitable.

Original language	English
Title of host publication	Proceedings of the 32nd USENIX Security Symposium
Editors	Joe Calandrino, Carmela Troncoso
Place of Publication	CA USA
Publisher	The USENIX Association
Pages	1865-1882
Number of pages	18
Volume	3
ISBN (Electronic)	9781713879497, 9781939133373
Publication status	Published - 2023
Event	USENIX Security Symposium 2023 - Anaheim, United States of America Duration: 9 Aug 2023 → 11 Aug 2023 Conference number: 32nd https://dl.acm.org/doi/proceedings/10.5555/3620237 (Proceedings) https://www.usenix.org/conference/usenixsecurity23/glance (Website)

Conference

Conference	USENIX Security Symposium 2023
Abbreviated title	USENIX 2023
Country/Territory	United States of America
City	Anaheim
Period	9/08/23 → 11/08/23
Internet address	https://dl.acm.org/doi/proceedings/10.5555/3620237 (Proceedings) https://www.usenix.org/conference/usenixsecurity23/glance (Website)

Access to Document

560181351-oaFinal published version, 951 KB

https://www.usenix.org/conference/usenixsecurity23/presentation/wang-junjie

Cite this

@inproceedings{7ad96d51b5244e7786e245cf268dfacb,

title = "FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler",

abstract = "We present a novel fuzzing technique, FuzzJIT, for exposing JIT compiler bugs in JavaScript engines, based on our insight that JIT compilers shall only speed up the execution but never change the execution result of JavaScript code. FuzzJIT can activate the JIT compiler for every test case and acutely capture any execution discrepancy caused by JIT compilers. The key to success is the design of an input wrapping template, which proactively activates the JIT compiler and makes the generated samples oracle-aware themselves and the oracle is tested during execution spontaneously. We also design a set of mutation strategies to emphasize program elements promising in revealing JIT compiler bugs. FuzzJIT drills to JIT compilers and at the same time retains the high efficiency of fuzzing. We have implemented the design and applied the prototype to find new JIT compiler bugs in four mainstream JavaScript engines. In one month, ten, five, two, and 16 new bugs are exposed in JavaScriptCore, V8, SpiderMonkey, and ChakraCore, respectively, with three demonstrated exploitable.",

author = "Junjie Wang and Zhiyi Zhang and Shuang Liu and Xiaoning Du and Junjie Chen",

note = "Funding Information: This work is partially sponsored by National Key R\&D Program of China (No.2019YFB2101700), National Natural Science Foundation of China (62102283, U1836214). Publisher Copyright: {\textcopyright} USENIX Security 2023. All rights reserved.; USENIX Security Symposium 2023, USENIX 2023 ; Conference date: 09-08-2023 Through 11-08-2023",

year = "2023",

language = "English",

volume = "3",

pages = "1865--1882",

editor = "Joe Calandrino and Carmela Troncoso",

booktitle = "Proceedings of the 32nd USENIX Security Symposium",

publisher = "The USENIX Association",

url = "https://dl.acm.org/doi/proceedings/10.5555/3620237, https://www.usenix.org/conference/usenixsecurity23/glance",

}

Wang, J, Zhang, Z, Liu, S, Du, X & Chen, J 2023, FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler. in J Calandrino & C Troncoso (eds), Proceedings of the 32nd USENIX Security Symposium. vol. 3, The USENIX Association, CA USA, pp. 1865-1882, USENIX Security Symposium 2023, Anaheim, California, United States of America, 9/08/23. <https://www.usenix.org/conference/usenixsecurity23/presentation/wang-junjie>

FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler. / Wang, Junjie; Zhang, Zhiyi; Liu, Shuang et al.
Proceedings of the 32nd USENIX Security Symposium. ed. / Joe Calandrino; Carmela Troncoso. Vol. 3 CA USA: The USENIX Association, 2023. p. 1865-1882.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - FuzzJIT

T2 - USENIX Security Symposium 2023

AU - Wang, Junjie

AU - Zhang, Zhiyi

AU - Liu, Shuang

AU - Du, Xiaoning

AU - Chen, Junjie

N1 - Conference code: 32nd

PY - 2023

Y1 - 2023

N2 - We present a novel fuzzing technique, FuzzJIT, for exposing JIT compiler bugs in JavaScript engines, based on our insight that JIT compilers shall only speed up the execution but never change the execution result of JavaScript code. FuzzJIT can activate the JIT compiler for every test case and acutely capture any execution discrepancy caused by JIT compilers. The key to success is the design of an input wrapping template, which proactively activates the JIT compiler and makes the generated samples oracle-aware themselves and the oracle is tested during execution spontaneously. We also design a set of mutation strategies to emphasize program elements promising in revealing JIT compiler bugs. FuzzJIT drills to JIT compilers and at the same time retains the high efficiency of fuzzing. We have implemented the design and applied the prototype to find new JIT compiler bugs in four mainstream JavaScript engines. In one month, ten, five, two, and 16 new bugs are exposed in JavaScriptCore, V8, SpiderMonkey, and ChakraCore, respectively, with three demonstrated exploitable.

AB - We present a novel fuzzing technique, FuzzJIT, for exposing JIT compiler bugs in JavaScript engines, based on our insight that JIT compilers shall only speed up the execution but never change the execution result of JavaScript code. FuzzJIT can activate the JIT compiler for every test case and acutely capture any execution discrepancy caused by JIT compilers. The key to success is the design of an input wrapping template, which proactively activates the JIT compiler and makes the generated samples oracle-aware themselves and the oracle is tested during execution spontaneously. We also design a set of mutation strategies to emphasize program elements promising in revealing JIT compiler bugs. FuzzJIT drills to JIT compilers and at the same time retains the high efficiency of fuzzing. We have implemented the design and applied the prototype to find new JIT compiler bugs in four mainstream JavaScript engines. In one month, ten, five, two, and 16 new bugs are exposed in JavaScriptCore, V8, SpiderMonkey, and ChakraCore, respectively, with three demonstrated exploitable.

UR - https://www.scopus.com/pages/publications/85171867174

M3 - Conference Paper

AN - SCOPUS:85171867174

VL - 3

SP - 1865

EP - 1882

BT - Proceedings of the 32nd USENIX Security Symposium

A2 - Calandrino, Joe

A2 - Troncoso, Carmela

PB - The USENIX Association

CY - CA USA

Y2 - 9 August 2023 through 11 August 2023

ER -

FuzzJIT: Oracle-enhanced fuzzing for JavaScript engine JIT compiler

Abstract

Conference

Access to Document

Other files and links

Cite this