[Seminar] Fuzzing JavaScript Engines with Aspect-preserving Mutation

박소연 (Soyeon Park)
Georgia Institute of Technology
Wednesday, January 13th 2021, 11:00am
302동 308호 (학생은 Zoom으로만 참석 가능)

호스트: 전병곤 교수(x1928)


Fuzzing is a practical, widely-deployed technique to find bugs in complex, real-world programs like JavaScript engines. However, I observed that existing fuzzing approaches, either generative or mutational, fall short in fully harvesting high-quality input corpora such as known proof of concept (PoC) exploits or unit tests. Existing fuzzers tend to destruct subtle semantics or conditions encoded in the input corpus in order to generate new test cases because this approach helps in discovering new code paths of the program. Nevertheless, for JavaScript-like complex programs, such a conventional design leads to test cases that tackle only shallow parts of the complex codebase and fails to reach deep bugs effectively due to the huge input space.

In this talk, I advocate a new technique, called an aspect-preserving mutation, that stochastically preserves the desirable properties, called aspects, that we prefer to be maintained across mutation. I demonstrated the aspect preservation with two mutation strategies, namely, structure and type preservation, in our fully-fledged JavaScript fuzzer, called DIE. Our evaluation shows that DIE’s aspect-preserving mutation is more effective in discovering new bugs (5.7× more unique crashes) and producing valid test cases (2.4× fewer runtime errors) than the state-of-the-art JavaScript fuzzers. DIE newly discovered 48 high-impact bugs in ChakraCore, JavaScriptCore, and V8 (38 fixed with 12 CVEs assigned as of today).

Speaker Bio

Soyeon Park is a Ph.D. candidate in the School of Computer Science at Georgia Institute of Technology, advised by Prof. Taesoo Kim. Previously, she completed her bachelor’s at POSTECH. Her research interests are in system security, with a focus on automatic vulnerability detection in real-world application, hardware-assisted memory hardening, and binary analysis.