One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221941 |
| Date de publication | 2022-08-23 12:32:29 (vue: 2022-11-25 18:05:33) |
| Titre | Fuzzing Closed-Source JavaScript Engines with Coverage Feedback |
| Texte | Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli (an open-source JavaScript engine fuzzer), with TinyInst (an open-source dynamic instrumentation library for fuzzing). I also added grammar-based mutation support to Jackalope (my black-box binary fuzzer). So far, these two approaches resulted in finding three security issues in jscript9.dll (default JavaScript engine used by Internet Explorer).Introduction or “when you can’t beat them, join them” In the past, I’ve invested a lot of time in generation-based fuzzing, which was a successful way to find vulnerabilities in various targets, especially those that take some form of language as input. For example, Domato, my grammar-based generational fuzzer, found over 40 vulnerabilities in WebKit and numerous bugs in Jscript. While generation-based fuzzing is still a good way to fuzz many complex targets, it was demonstrated that, for finding vulnerabilities in modern JavaScript engines, especially engines with JIT compilers, better results can be achieved with mutational, coverage-guided approaches. My colleague Samuel Groß gives a compelling case on why that is in his OffensiveCon talk. Samuel is also the author of Fuzzilli, an open-source JavaScript engine fuzzer based on mutating a custom intermediate language. Fuzzilli has found a large number of bugs in various JavaScript engines. While there has been a lot of development on coverage-guided fuzzers over the last few years, most of the public tooling focuses on open-source targets or software running on the Linux operating system. Meanwhile, I focused on developing tooling for fuzzing of closed-source binaries on operating systems where such software is more prevalent (currently Windows and macOS). Some years back, I published WinAFL, the first performant AFL-based fuzzer for Windows. About a year and a half ago, however, I started working on a brand new toolset for black-box coverage-guided fuzzing. TinyInst and Jackalope are the two outcomes of this effort. It comes somewhat naturally to combine the tooling I’ve been working on with techniques that have been so successful in finding JavaScript bugs, and try to use the resulting tooling to fuzz JavaScript engines for which the source code is not available. Of such engines, I know two: jscript and jscript9 (implemented in jscript.dll and jscript9.dll) on Windows, whic |
| Envoyé | Oui |
| Condensat | “when can expands grammar node nodes support symbol the to 0days 100 2020 there 2021 2021 so 2022 20: 26419 26419 and 31959 34480 abdulrasool able about above abusing accomplish achieved actual adapted add added addition additional additionally address advance advanced advantage afl after again against ago all allocator allow allows already also although always analyze analyzed anew announced another answer any anything anywhere api applications applied apply approach approaches are argument around array art attaches attackers attempt author automated available back background bad based basic beat because been before behaved being below benefit better beyond biggest binaries binary bit black blocks/edges bootstrap both box brand breaking broader browser bug bugs build build on building builds built builtin but bytecode bytes c++ c/c++ call calls can can’t cannot case cases catching cause certain certainly challenge challenges change changed changes changing channel checks child children closed closely cmake code coding colleague collecting combine combined comes command community compelling compile compiled compiler compilers complete completed completely complex component components concatenating conclusion constructed constructing contain context contrast cores corpus could counted couple course coverage coverage based crashed crashes create current currently custom cve debug debugee debugees debugger debugging debugging was default demonstrated dereference described deserializing despite details determined developed developing development didn’t different difficult discover disk dispatchqueue diverges dll does doesn’t doing domato done down downloaded due during dynamic dynamically each early easier easily easy ecmascript edit effort either empty enable end energy engine engines ensure ensures entire especially etc even example examples examples on exception exceptions executing execution exercised existing experience experimentation exploitable exploited explorer extend extended extensions fact fail far faster feasibility feature features feedback file finally find findable finding first flow focused focuses following form format formats fortunately found fratric free frequently from further future fuzz fuzzed fuzzer fuzzers fuzzilli fuzzilli fuzzilli/tinyinst fuzzilli: fuzzing general generate generated generation generational generator get getting given gives goes going good grammar grammars great groß guarantee guaranteed guided hadn half handle handles happen happened happy has have heap heap for heavily help helpful helps here his hitting hoped how however hybrid i’m i’ve idea ideas image impact implemented impossible improvement inability include included includes including incorrect individual initially input insert inserting instance instead instrument instrumentation instrumentations integrate integrated integrating integration interesting interestingly intermediate internally internet interpreter introduction invested issue issued issues it’s its ivan jackalope jackalope jackalope are jackalope is jackalope’s january javascript jit join jscript jscript9 just keep keeping key know knows language large last latter least less level libcoverage libraries library libreprl libsocket like limitations limited lines linked linking linux linux/macos list loaded loadlibrary api long looking lost lot machine macos made main mainly make makes malloc manager mandatory manifested manner manner: manual many means meant meanwhile microsoft might mind minimization minor mixes mode model modern modified modify modifying modularity: monitor more most mostly much multiple must mutate mutating mutation mutation: mutational mutations mutators natural naturally need needed neither networking new ninja node nodes nor not notably note now null number numerous objects observing occasionally offensivecon office official officially once one ones only open operatin |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.