fuzzing javascript engines with aspect preserving mutation
play

Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon - PowerPoint PPT Presentation

Jan 24, 2023 •31 likes •461 views

Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, Taesoo Kim Everyone uses web browser (+ JS engine) 4,000,000,000 2 New Tab https://gts3.org/ Bank Private Password account data

  1. Fuzzing JavaScript Engines with Aspect-preserving Mutation Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, Taesoo Kim

  2. Everyone uses web browser (+ JS engine) 4,000,000,000 2

  3. New Tab https://gts3.org/ Bank Private Password account data S&P’20! 3

  4. JS bugs are security-critical ( ) 9/11 (82%) 2017 2018 2019 2020 5

  5. Finding JS bugs is hard 443K 1M • Large codebase 995K 797K 6

  6. Finding JS bugs is hard • Deep semantic bugs JS engine Parser / Interpreter JIT compiler Executor 8

  7. Finding JS bugs is hard • Deep semantic bugs 1 25 JIT-OOB JIT-Type confusion JIT-Memory corruption Parser/Interpreter 20 # of Bugs 15 Complex & deep bugs 10 Simple & shallow bugs 5 0 2016 2017 2018 2019 Year 1 Google Project Zero issue trackers and commits of ChakraCore for security updates by Aug 2019 9

  8. Motivating example • Special conditions are necessary to discover new bug from old ones • What human hacker is good at 10

  9. Motivating example • Special conditions are necessary to discover new bug from old ones • JIT-able condition by for-loop & empty object 11

  10. Motivating example • Special conditions are necessary to discover new bug from old ones • “Function” which has side-effect 12

  11. Motivating example • Special conditions are necessary to discover new bug from old ones • Instruction order 13

  12. Motivating example • Special conditions are necessary to discover new bug from old ones • Newly introduced code 14

  13. Aspects • Key features that guide to discover new bugs, which are embedded in the Proof-of-Concept of existing bugs Assign float values to an array and order of the instructions Type confusion 15

  14. Aspects • Key features that guide to discover new bugs, which are embedded in the Proof-of-Concept of existing bugs Assign float values to an array and order of the instructions For loop to invoke JIT compiler 16

  15. Aspects • Key features that guide to discover new bugs, which are embedded in the Proof-of-Concept of existing bugs Assign float values to an array and order of the instructions For loop to invoke JIT compiler Arrow function to assign object value to the same array 17

  16. Ou Our so solu lutio tion: DIE: Fuzzing JS engine with generation and Aspect-preserving mutation 21

  17. DIE overview w/ instrumented Dynamic & JS engine Static analysis Input Typed-AST JS file Crash! Preprocessing Execution generation Original Seeds Code coverage Feedback 22

  18. Preprocessing for typed-AST Pre-Processing Dynamic Analysis w/ instrumented Dynamic & JS engine Static analysis Typed-AST Instrument IMMUTABL E while … Type analysis Input Typed-AST JS file Input Crash! == Preprocessing Execution NUM generation [] 1 generation NUM a 0 NUM NUM Original Seeds Static Analysis ARRAY Code coverage AST + Type Information Feedback 23

  19. Type Analysis: dynamic analysis • Execute instrumented corpus Corpus recordType() var n = 3 recordType() var array = new Array(n) recordType() 24

  20. Type Analysis: dynamic analysis • Execute instrumented corpus Corpus recordType() var n = 3 recordType() var array = new Array(n) recordType() 25

  21. Type Analysis: dynamic analysis • Execute instrumented corpus Corpus recordType() var n = 3 recordType() n : number var array = new Array(n) recordType() 26

  22. Type Analysis: dynamic analysis • Execute instrumented corpus Corpus recordType() var n = 3 recordType() var array = new Array(n) n : number recordType() array: numberArray 27

  23. Type Analysis: dynamic analysis • Execute instrumented corpus Type Information Corpus recordType() var n = 3 recordType() n : number var array = new Array(n) n : number recordType() array: numberArray 28

  24. Type Analysis: static analysis • Propagate type information from bottom to top with custom rules AST while + == [] 1 Type Information 0 a 29

  25. Type Analysis: static analysis • Propagate type information from bottom to top with custom rules Typed-AST AST IMMUTABLE while while + == == NUM [] [] 1 1 Type Information NUM 0 0 a a NUM ARRAY NUM 30

  26. Input generation Input Generation w/ instrumented Dynamic & Typed-AST Mutated Typed-AST JS engine Static analysis IMMUTABL Generation E IMMUTABL while Engine … E while Input == Typed-AST JS file NUM NUM Crash! Preprocessing Execution == [] NUM [] generation [] 1 a . a 0 NUM a 0 NUM NUM NUM NUM Mutated ARRAY a ARRAY Mutation Original Seeds NUM NUM Seeds ARRAY Engine NUM ARRAY “length” Code coverage Mutate (Aspect-preserving) Feedback 31

  27. Aspect-preserving mutation • Type & structure preserving mutation Assign float values to an array and order of the instructions For loop to invoke JIT compiler Arrow function to assign object value to the same array 32

  28. Type-preserving mutation • Mutate typed-AST node with same typed node Generation + Typed-AST Engine Type IMMUTABLE Information while == NUM [] 1 NUM 0 a NUM ARRAY NUM 33

  29. Type-preserving mutation • Mutate typed-AST node with same typed node Generation + Typed-AST Engine Type IMMUTABLE Information while NUM typed node . [] == NUM a length a 0 [] 1 NUM 0 a NUM ARRAY NUM Mutation Engine 34

  30. Type-preserving mutation • Mutate typed-AST node with same typed node Generation + Typed-AST Engine Mutated Typed-AST Type IMMUTABLE Information IMMUTABLE while while NUM typed node . [] == NUM == NUM NUM a length a 0 [] 1 [] [] NUM 0 a NUM a 0 a . NUM NUM ARRAY NUM NUM ARRAY Mutation NUM ARRAY a length Engine 35

  31. Structure-preserving mutation • Selectively mutate nodes to avoid breaking control-flow structure Typed-AST IMMUTABLE while Mutation == Engine NUM [] 1 NUM a 0 NUM ARRAY NUM 36

  32. Structure-preserving mutation • Selectively mutate nodes to avoid breaking control-flow structure Typed-AST IMMUTABLE while Mutation == Engine NUM [] 1 NUM a 0 NUM ARRAY NUM 37

  33. Execution with instrumented JS engine Execution/Feedback Instrumented w/ instrumented Dynamic & JS Engines JS engine Static analysis Execute … Input Input Typed-AST JS file generation Crash! Preprocessing Execution generation Mutated Seeds Original Seeds Distributed Fuzzing Platform Code coverage Feedback Coverage Feedback 38

  34. Implementation • Core fuzzing engine 3,677 lines of TypeScript • Type analyzer 222 lines of Python • Dynamic instrumentation tool • Generation engine 10,545 lines of TypeScript • Mutation engine 2,333 lines of TypeScript • AFL modification 453 lines of C • Distributed fuzzing harness 205 lines of TypeScript • Coordinator 1,419 lines of Python and Shell Script • Local agent 492 lines of Python • Crash reporter 19,346 lines of code • Total 39

  35. Evaluation Fuzzing JS engines with DIE in the wild ... and extra information to understand the techniques applied on DIE 40

  36. Fuzzing JS engines in the wild • We ran DIE up to 3 weeks against 3 major JS engines • 48 unique bugs in total • 39 fixed bug • 11 acknowledged CVEs • 27K USD bug bounty reward as of now 41

  37. Evaluation: effectiveness of leveraging aspect • DIE found 84 distinct crashes and 28 unique bugs in ChakaCore Preserved aspect Bug Crash Structure & Type 14/28 (50.00%) 40/84 (47.62%) Structure-only 12/28 (42.86%) 32/84 (42.86%) Total 22/28 (92.86%) 72/84 (90.48%) 42

  38. Case study: CVE-2019-0990 • corpus: CVE-2018-0777 Generation w/ type information Mutation (structure preserving) Mutation (type preserving) 43

  39. Evaluation: aspect preserving • Ratio difference of JIT-optimization phase invocation between the generated inputs and seed files 200 Forward • vs DIE t : 1.53x FGPeeps FGBuild 175 Backward Optimization Invocation Rate (%) • vs CodeAlchemist : 4.29x CaptureByteCodeRegUse BackEnd 150 DeadStore • vs Superion: negligible GlobOpt Etc 125 • Mutation-based fuzzer 100 75 50 DIE t : DIE without structure-preserving 25 (type preserving only) 0 Die t Superion CodeAlchemist Die 44

  40. Evaluation: validity of generated input • Error rate of generated inputs • vs Superion: 2.31x SyntaxError • vs CodeAlchemist: 2.31x ReferenceError 40 TypeError • vs jsfunfuzz: 2.42x RangeError • DIE c produces less error rate than Error Rate (%) 30 vanilla 20 10 DIE c : DIE without coverage feedback 0 Vanilla Die c Die Superion CodeAlchemist jsfunfuzz Original corpus 45

  41. Evaluation: comparison w/ state-of-the-art fuzzers • Number of unique crashes found by DIE vs state-of-the-art fuzzers for 24 hours JS engine DIE DIE t Superion CodeAlchemist ChakraCore 1.11.10 17 7 0 3 JavaScriptCore 2 0 0 0 2.24.2 V8 7.7.100 2 1 1 0 DIE t : DIE without structure-preserving (type preserving only) 47

  42. Conclusion • DIE is a JS engine fuzzer that preserves the aspects from PoC of existing bugs achieved by type and structure preserving • Discovered 48 unique bugs with 11 CVEs assigned • Open sourced: https://github.com/sslab-gatech/DIE 48

  43. Thank you! Q & A 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Know Your Engines How to Make Your JavaScript Fast Dave Mandelin 8 November 2011 OReilly

Know Your Engines How to Make Your JavaScript Fast Dave Mandelin 8 November 2011 OReilly

Know Your Engines How to Make Your JavaScript Fast Dave Mandelin 8 November 2011 OReilly Velocity Europe Tuesday, November 8, 2011 JavaScript is getting really fast and programs are getting crazy Bullet physics engine (ammo.js) H.264

2.15k views • 184 slides
1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

Population Genetics 5: Mutation pressure Mutation pressure Table 1 : Estimates of per generation mutation rates for a range of organisms Organism Per nucleotide rate Genomic rate RNA GENOMES 1.97 10 -5 Poliovirus 0.15 1.10 10 -4

306 views • 7 slides
1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

1 Mutation pressure Let = the mutation rate from A a Let = the mutation rate from a

Population Genetics 5: Mutation pressure Mutation pressure Table 1 : Estimates of per generation mutation rates for a range of organisms Organism Per nucleotide rate Genomic rate RNA GENOMES 1.97 10 -5 Poliovirus 0.15 1.10 10 -4

350 views • 6 slides
Hacking WebKit & Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer

Hacking WebKit & Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer

Hacking WebKit & Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer Doing webkitty things... Our Mission if we choose to accept it Define: What is WebKit? Some Simple Ways to Leverage WebKit Little investment, Large

1k views • 82 slides
A Short Introduction to Servo Web Engines Hackfest 2014 Martin Robinsonn @abandonedwig The

A Short Introduction to Servo Web Engines Hackfest 2014 Martin Robinsonn @abandonedwig The

A Short Introduction to Servo Web Engines Hackfest 2014 Martin Robinsonn @abandonedwig The Modern Browser Fast JavaScript engines Optimized layout routines Rapidly evolving rendering pipelines Ever increasing concurrency Not Good Enough

647 views • 23 slides
NoJITsu: Locking Down JavaScript Engines Taemin Park , Karel Dhondt, David Gens , Yeoul

NoJITsu: Locking Down JavaScript Engines Taemin Park , Karel Dhondt, David Gens , Yeoul

NoJITsu: Locking Down JavaScript Engines Taemin Park , Karel Dhondt, David Gens , Yeoul Na , Stijn Volckaert, Michael Franz Department of Computer Science, University of California, Irvine Department of Computer

506 views • 24 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
1 Mutation - selection equilibrium 1. Mutation pressure: ( ) ( ) = Let = the

1 Mutation - selection equilibrium 1. Mutation pressure: ( ) ( ) = Let = the

Population Genetics 7: transient verses equilibrium polymorphism Mutation - selection equilibrium Mutation pressure and selection can operate in opposite directions as a force for change in allele frequencies in populations. Note that

359 views • 9 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens Gustafsson and Mikhail Chalabine Outline: Aspect-Oriented Programming New concepts introduced Crosscutting concern Aspect Dynamic aspect

1.12k views • 50 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
strt r

strt r

r t Prs r strt r rtr Prtr

543 views • 41 slides
Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin

Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin

Dilute magnetic oxides J. M. D. Coey School of Physics and CRANN, Trinity College Dublin Ireland. 1. How should they behave? 2. How do they behave ? 3. What is the explanation ? 5 models Comments and corrections please: jcoey@tcd.ie

561 views • 33 slides
ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic

ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic

The unication type ukasiewicz logic is nullary Topology, Algebra, and Categories in Logic http://logica.dmi.unisa.it/lucaspada University of Salerno Department of Mathematics Luca Spada Based on a joint work with V. Marra The

1.24k views • 110 slides
strt t

strt t

tt t r trs s rts rts s

540 views • 53 slides
capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

224 views • 19 slides
John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the

John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the

John Engstrom, MD February 14, 2020 A 61 yo man with low back pain (LBP) presented to the neurology outpatient practice in December 2017 with bilateral (R > L) leg pain, weakness, numbness since April 2017. His LBP was worse with sitting and

291 views • 12 slides
1 The spinal cord is protected by Vertebra viewed from above the vertebral column Vertebral

1 The spinal cord is protected by Vertebra viewed from above the vertebral column Vertebral

Outline of the Lecture Segmental nature of the vertebrate body The spinal cord is segmented Spinal Cord The spinal cord is protected by the vertebral column Spinal cord segments are named for their associated vertebrae P.A.

322 views • 6 slides
Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA

Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA

Management of children with spina bifida in the age of fetal intervention FRANCOIS I. LUKS PETRA KLINGE www.revolutionhealth.com Spina Bifida and Neural Tube Defects Epidemiology One of the most common birth defects: 1-2 cases/1,000

585 views • 56 slides

More recommend