• Stars
    star
    235
  • Rank 171,079 (Top 4 %)
  • Language
    F#
  • License
    MIT License
  • Created about 6 years ago
  • Updated about 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines (NDSS '19)

CodeAlchemist

CodeAlchemist is a JavaScript engine fuzzer that improves classic grammar-based JS engine fuzzers by a novel test case generation algorithm, called semantics-aware assembly. The details of the algorithm is in our paper, "CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines", which appeared in NDSS 2019. This is a stable version of CodeAlchemist and it currently supports ChakraCore, V8, SpiderMonkey, and JavaScriptCore.

Installation

CodeAlchemist currently works on only Linux and we tested on Ubuntu 18.04.

  1. Install dependencies (build-essential, nodejs, npm, esprima, dotnet)
$ sudo apt update
$ sudo apt install build-essential
$ sudo apt install nodejs npm
$ npm i [email protected]

Installation for dotnet depends on OS version, so please refer this link.

  1. Clone and build CodeAlchemist
$ git clone https://github.com/SoftSec-KAIST/CodeAlchemist
$ cd CodeAlchemist
$ make

Usage

  1. Prepare to start

Prepare JS seed files, a configuration file, and the requirements in the configuration. Please refer conf/README.md for writing the configuration file.

  1. Preprocess JS seed files
$ dotnet bin/Main.dll rewrite <conf ABSPATH>
$ dotnet bin/Main.dll instrument <conf ABSPATH>
  1. Run fuzzing process
$ dotnet bin/Main.dll fuzz <conf ABSPATH>

There are four optional parameters for our JS code generation algorithm.

  • iMax (default: 8): The maximum number of iterations of the generation algorithm.
  • pBlk (default: 16): The probability of reinventing block statements.
  • iBlk (default: 3): The maximum number of iteration for generating a block statement.
  • dMax (default: 3): The maximum nesting level for a reassembling block statement.

You can specify parameters with following commands.

$ dotnet bin/Main.dll fuzz <conf ABSPATH> --iMax 8 --pBlk 16 --iBlk 3 --dMax 3

CVEs (Credits)

If you find bugs and get CVEs by running CodeAlchemist, please let us know by sending a PR for ./docs/CVE.md.

  • JavaScriptCore: CVE-2018-4464, CVE-2018-4437, CVE-2018-4378, CVE-2018-4372

Authors

This research project has been conducted by SoftSec Lab at KAIST.

Citation

If you plan to use CodeAlchemist in your own research. Please consider citing our paper:

@INPROCEEDINGS{han:ndss:2019,
  author = {HyungSeok Han and DongHyeon Oh and Sang Kil Cha},
  title = {{CodeAlchemist}: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines},
  booktitle = ndss,
  year = 2019
}

More Repositories

1

Fuzzing-Survey

The Art, Science, and Engineering of Fuzzing: A Survey
JavaScript
207
star
2

Eclipser

Grey-box Concolic Testing on Binary Code (ICSE '19)
F#
148
star
3

Smartian

Smartian: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses (ASE '21)
F#
139
star
4

BinKit

Binary Code Similarity Analysis (BCSA) Benchmark
Shell
132
star
5

TikNib

Binary Code Similarity Analysis (BCSA) Tool
Python
114
star
6

IMF

Inferred Model-based Fuzzer
Python
107
star
7

NTFuzz

NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis (IEEE S&P '21)
F#
94
star
8

MeanDiff

Testing Intermediate Representations for Binary Analysis (ASE '17)
F#
79
star
9

GitCTF

Git-based CTF
Python
60
star
10

Ankou

Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference (ICSE '20)
Go
54
star
11

Fuzzle

Fuzzle: Making a Puzzle for Fuzzers (ASE'22)
Python
40
star
12

Reassessor

Reassembly is Hard: A Reflection on Challenges and Strategies (USENIX Security '23)
Python
30
star
13

BotScreen

BotScreen: Trust Everybody, but Cut the Aimbots Yourself (USENIX Security '23)
Python
13
star
14

Smartian-Artifact

Artifacts for Smartian, a grey-box fuzzer for Ethereum smart contracts.
Solidity
12
star
15

Eclipser-Artifact

Docker image for Eclipser
Shell
4
star
16

Fuzzle-artifact

Artifact evaluation repository for Fuzzle
C
3
star
17

MeanDiff-LifterPyVEX

Lift instruction to VEX, using PyVEX, and translate to MeanDiff's UIR
Python
2
star
18

Ankou-Benchmark

2
star
19

MeanDiff-LifterBINSEC

Lift instruction to DBA, using BINSEC, and translate to MeanDiff's UIR
OCaml
1
star
20

LLM1dFuzz

Systematic Bug Reproduction with Large Language Model (SECAI'24)
Shell
1
star
21

MeanDiff-ExternalXED

C
1
star
22

MeanDiff-LifterBAP

Lift instruction to BIL, using BAP, and translate to MeanDiff's UIR
OCaml
1
star
23

MeanDiff-DockerBaseImage

Shell
1
star