• Stars
    star
    221
  • Rank 179,773 (Top 4 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 4 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fuzzing JavaScript Engines with Aspect-preserving Mutation

DIE

Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details.

Environment

Tested on Ubuntu 18.04 with following environment.

  • Python v3.6.10
  • npm v6.14.6
  • n v6.7.0

General Setup

For nodejs and npm,

$ sudo apt-get -y install npm
$ sudo npm install -g n
$ sudo n stable

For redis-server,

$ sudo apt install redis-server

we choose clang-6.0 to compile afl and browsers smoothly.

$ sudo apt-get -y install clang-6.0

DIE Setup

To setup environment for AFL,

$ cd fuzz/scripts
$ sudo ./prepare.sh

To compile whole project,

$ ./compile.sh

Server Setup

  • Make Corpus Directory (We used Die-corpus as corpus)
$ git clone https://github.com/sslab-gatech/DIE-corpus.git
$ python3 ./fuzz/scripts/make_initial_corpus.py ./DIE-corpus ./corpus
  • Make ssh-tunnel for connection with redis-server
$ ./fuzz/scripts/redis.py
  • Dry run with corpus
$ ./fuzz/scripts/populate.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
# Example
$ ./fuzz/scripts/populate.sh ~/ch ./DIE-corpus ch

It's done! Your corpus is well executed and the data should be located on redis-server.

Tips

To check the redis-data,

$ redis-cli -p 9000
127.0.0.1:9000> keys *

If the result contains "crashBitmap", "crashQueue", "pathBitmap", "newPathsQueue" keys, the fuzzer was well registered and executed.

Client Setup

  • Make ssh-tunnel for connection with redis-server
$ ./fuzz/scripts/redis.py
  • Usage
$ ./fuzz/scripts/run.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
# Example
$ ./fuzz/scripts/run.sh ~/ch ./DIE-corpus ch
  • Check if it's running
$ tmux ls

You can find a session named fuzzer if it's running.

Typer

We used d8 to profile type information. So, please change d8_path in fuzz/TS/typer/typer.py before execution.

cd fuzz/TS/typer
python3 typer.py [corpus directory]

*.jsi file will be created if instrumentation works well. *.t file will be created if profiling works well.

CVEs

If you find bugs and get CVEs by running DIE, please let us know.

  • ChakraCore: CVE-2019-0609, CVE-2019-1023, CVE-2019-1300, CVE-2019-0990, CVE-2019-1092
  • JavaScriptCore: CVE-2019-8676, CVE-2019-8673, CVE-2019-8811, CVE-2019-8816
  • V8: CVE-2019-13730, CVE-2019-13764, CVE-2020-6382

Contacts

Citation

@inproceedings{park:die,
  title        = {{Fuzzing JavaScript Engines with Aspect-preserving Mutation}},
  author       = {Soyeon Park and Wen Xu and Insu Yun and Daehee Jang and Taesoo Kim},
  booktitle    = {Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland)},
  month        = may,
  year         = 2020,
  address      = {San Francisco, CA},
}

More Repositories

1

Rudra

Rust Memory Safety & Undefined Behavior Detection
Rust
1,314
star
2

qsym

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
C++
627
star
3

winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy
C
528
star
4

pwn2own2020

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
C++
401
star
5

DrK

The DrK Attack - Proof of concept
Python
343
star
6

opensgx

OpenSGX
C
288
star
7

avpass

Tool for leaking and bypassing Android malware detection system
Smali
283
star
8

janus

Janus: a state-of-the-art file system fuzzer on Linux
C
206
star
9

hydra

Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems
C
156
star
10

ArcHeap

ArcHeap: Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
C
141
star
11

freedom

A DOM fuzzer
Python
139
star
12

cs3210-rustos-public

Lab assignments for Georgia Tech CS 3210 "Design of Operating Systems"
Rust
111
star
13

perf-fuzz

C
94
star
14

sgx-tutorial-ccs17

SGX Tutorial at CCS17: SGX Security and Privacy
83
star
15

mosaic

C++
78
star
16

autofz

autofz: Automated Fuzzer Composition at Runtime
C
72
star
17

apollo

A toolchain for automatically detecting, reporting, and diagnosing performance bugs in DBMSs.
HCL
68
star
18

kernel-analyzer

C++
65
star
19

fuzzification

We hinder fuzzing
C
64
star
20

apisan

APISan: Sanitizing API Usages through Semantic Cross-Checking
C++
60
star
21

fxmark

FxMark: Filesystem Multicore Scalability Benchmark
Filebench WML
58
star
22

libmpk

C
48
star
23

deadline

C++
45
star
24

unisan

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
C++
43
star
25

shfllock

C
40
star
26

Rudra-PoC

Trophy case for Rudra bugs.
Rust
36
star
27

DIE-corpus

Corpus set used by DIE
Raku
36
star
28

aslr-guard

Preventing code-reuse attacks by stopping code pointer leakages
35
star
29

sgx101-gitbook

Synced with SGX101 gitbook.
30
star
30

kenali-kernel

Modified Nexus 9 kernel for Kenali Project
C
29
star
31

krace

Source code release for the KRace project
Python
27
star
32

hdfi

Hardware-assisted Data-flow Isolation
C
26
star
33

t-sgx

Compiler-based tool that protects Intel SGX applications against controlled-channel attacks
C++
26
star
34

caver

C++
25
star
35

juxta

C++
23
star
36

sgx-bomb

Makefile
15
star
37

RoboFuzz

Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
Python
15
star
38

cst-locks

C
13
star
39

SNAP

C
12
star
40

platpal

C++
12
star
41

blockchain-lab-pwneth

Solidity
11
star
42

ucognito

C
11
star
43

branch-shadowing

The branch shadowing attack: Proof of concept
C++
10
star
44

latr

Latr: Lazy Translation Coherence - ASPLOS'18
C
10
star
45

desensitization

Python
10
star
46

Rudra-Artifacts

Rudra's artifact evaluation submission
Rust
8
star
47

fakeroot-p

Makefile
8
star
48

vbench

VBench: Multicore Scalability Application Benchmark
Python
8
star
49

lkl-hydra

C
7
star
50

Pridwen

Universally Hardening SGX Programs via Load-Time Synthesis
C++
7
star
51

Sense

Code for Sense (NDSS'24)
C++
6
star
52

AndroidCoverageAgent

Coverage gathering JVMTI agent for Android
C++
6
star
53

kup

Prototype for seamlessly updating Linux kernel with application checkpoint-and-restart
5
star
54

eCS

Enlightened Critical Sections
C
4
star
55

bunshin

Python
4
star
56

playcrawl

Crawler for Googleplay
HTML
4
star
57

ordo

C
3
star
58

ACon2

Solidity
3
star
59

lkl

C
2
star
60

sgx101

A place to start designing application with Intel SGX in mind.
HTML
2
star
61

AndroidIntentFuzzer

Greybox fuzzing for Android Intent receivers
Kotlin
1
star