DIE
Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details.
Environment
Tested on Ubuntu 18.04 with following environment.
- Python v3.6.10
- npm v6.14.6
- n v6.7.0
General Setup
For nodejs and npm,
$ sudo apt-get -y install npm
$ sudo npm install -g n
$ sudo n stable
For redis-server,
$ sudo apt install redis-server
we choose clang-6.0 to compile afl and browsers smoothly.
$ sudo apt-get -y install clang-6.0
DIE Setup
To setup environment for AFL,
$ cd fuzz/scripts
$ sudo ./prepare.sh
To compile whole project,
$ ./compile.sh
Server Setup
- Make Corpus Directory (We used Die-corpus as corpus)
$ git clone https://github.com/sslab-gatech/DIE-corpus.git
$ python3 ./fuzz/scripts/make_initial_corpus.py ./DIE-corpus ./corpus
- Make ssh-tunnel for connection with redis-server
$ ./fuzz/scripts/redis.py
- Dry run with corpus
$ ./fuzz/scripts/populate.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
# Example
$ ./fuzz/scripts/populate.sh ~/ch ./DIE-corpus ch
It's done! Your corpus is well executed and the data should be located on redis-server.
Tips
To check the redis-data,
$ redis-cli -p 9000
127.0.0.1:9000> keys *
If the result contains "crashBitmap", "crashQueue", "pathBitmap", "newPathsQueue" keys, the fuzzer was well registered and executed.
Client Setup
- Make ssh-tunnel for connection with redis-server
$ ./fuzz/scripts/redis.py
- Usage
$ ./fuzz/scripts/run.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
# Example
$ ./fuzz/scripts/run.sh ~/ch ./DIE-corpus ch
- Check if it's running
$ tmux ls
You can find a session named fuzzer if it's running.
Typer
We used d8 to profile type information. So, please change d8_path in fuzz/TS/typer/typer.py before execution.
cd fuzz/TS/typer
python3 typer.py [corpus directory]
*.jsi file will be created if instrumentation works well. *.t file will be created if profiling works well.
CVEs
If you find bugs and get CVEs by running DIE, please let us know.
- ChakraCore: CVE-2019-0609, CVE-2019-1023, CVE-2019-1300, CVE-2019-0990, CVE-2019-1092
- JavaScriptCore: CVE-2019-8676, CVE-2019-8673, CVE-2019-8811, CVE-2019-8816
- V8: CVE-2019-13730, CVE-2019-13764, CVE-2020-6382
Contacts
- Soyeon Park [email protected]
- Wen Xu [email protected]
- Insu Yun [email protected]
- Daehee Jang [email protected]
- Taesoo Kim [email protected]
Citation
@inproceedings{park:die,
title = {{Fuzzing JavaScript Engines with Aspect-preserving Mutation}},
author = {Soyeon Park and Wen Xu and Insu Yun and Daehee Jang and Taesoo Kim},
booktitle = {Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland)},
month = may,
year = 2020,
address = {San Francisco, CA},
}