Table of Contents
Fetching ...

PatchFuzz: Patch Fuzzing for JavaScript Engines

Junjie Wang, Yuhan Ma, Xiaofei Xie, Xiaoning Du, Xiangwei Zhang

TL;DR

This work tackles vulnerabilities introduced or revealed by security patches in JavaScript engines. It introduces PatchFuzz, an end-to-end patch fuzzing framework that automatically detects security patches, extracts executable PoCs from the patches, and uses code revisions to guide targeted fuzzing with selective instrumentation and a two-tier mutation strategy. The approach demonstrates improved patch-recognition accuracy, higher PoC usability, and greater code coverage, achieving 54 discovered bugs (25 CVEs) across six engines and $62,500 in bounties. The results show the practicality of leveraging historical patches and PoCs to uncover vulnerabilities overlooked by prior fuzzing approaches, with ablation studies confirming the importance of seed collection, selective instrumentation, and mutation design for effectiveness.

Abstract

Patch fuzzing is a technique aimed at identifying vulnerabilities that arise from newly patched code. While researchers have made efforts to apply patch fuzzing to testing JavaScript engines with considerable success, these efforts have been limited to using ordinary test cases or publicly available vulnerability PoCs (Proof of Concepts) as seeds, and the sustainability of these approaches is hindered by the challenges associated with automating the PoC collection. To address these limitations, we propose an end-to-end sustainable approach for JavaScript engine patch fuzzing, named PatchFuzz. It automates the collection of PoCs of a broader range of historical vulnerabilities and leverages both the PoCs and their corresponding patches to uncover new vulnerabilities more effectively. PatchFuzz starts by recognizing git commits which intend to fix security bugs. Subsequently, it extracts and processes PoCs from these commits to form the seeds for fuzzing, while utilizing code revisions to focus limited fuzzing resources on the more vulnerable code areas through selective instrumentation. The mutation strategy of PatchFuzz is also optimized to maximize the potential of the PoCs. Experimental results demonstrate the effectiveness of PatchFuzz. Notably, 54 bugs across six popular JavaScript engines have been exposed and a total of $62,500 bounties has been received.

PatchFuzz: Patch Fuzzing for JavaScript Engines

TL;DR

This work tackles vulnerabilities introduced or revealed by security patches in JavaScript engines. It introduces PatchFuzz, an end-to-end patch fuzzing framework that automatically detects security patches, extracts executable PoCs from the patches, and uses code revisions to guide targeted fuzzing with selective instrumentation and a two-tier mutation strategy. The approach demonstrates improved patch-recognition accuracy, higher PoC usability, and greater code coverage, achieving 54 discovered bugs (25 CVEs) across six engines and $62,500 in bounties. The results show the practicality of leveraging historical patches and PoCs to uncover vulnerabilities overlooked by prior fuzzing approaches, with ablation studies confirming the importance of seed collection, selective instrumentation, and mutation design for effectiveness.

Abstract

Patch fuzzing is a technique aimed at identifying vulnerabilities that arise from newly patched code. While researchers have made efforts to apply patch fuzzing to testing JavaScript engines with considerable success, these efforts have been limited to using ordinary test cases or publicly available vulnerability PoCs (Proof of Concepts) as seeds, and the sustainability of these approaches is hindered by the challenges associated with automating the PoC collection. To address these limitations, we propose an end-to-end sustainable approach for JavaScript engine patch fuzzing, named PatchFuzz. It automates the collection of PoCs of a broader range of historical vulnerabilities and leverages both the PoCs and their corresponding patches to uncover new vulnerabilities more effectively. PatchFuzz starts by recognizing git commits which intend to fix security bugs. Subsequently, it extracts and processes PoCs from these commits to form the seeds for fuzzing, while utilizing code revisions to focus limited fuzzing resources on the more vulnerable code areas through selective instrumentation. The mutation strategy of PatchFuzz is also optimized to maximize the potential of the PoCs. Experimental results demonstrate the effectiveness of PatchFuzz. Notably, 54 bugs across six popular JavaScript engines have been exposed and a total of $62,500 bounties has been received.
Paper Structure (17 sections, 5 figures, 9 tables)

This paper contains 17 sections, 5 figures, 9 tables.

Figures (5)

  • Figure 1: The PoC of CVE-2018-0777 (without line 4 and 5), the PoC of CVE-2018-8137 (with line 4 added to the PoC of CVE-2018-0777), and a bypass to CVE-2018-8137 (with line 5 added to the PoC of CVE-2018-0777).
  • Figure 2: The general workflow of PatchFuzz.
  • Figure 3: PoC of CVE-2018-4416 before processing
  • Figure 4: PoC of CVE-2018-4416 after processing
  • Figure 5: The PoC of CVE-2020-9802 (without line 4) and the PoC of CVE-2020-9983 (without line 3).