This course aims to teach learners how to fuzz JavaScript engines with aspect-preserving mutation. By the end of the course, students will be able to understand the challenges of finding JavaScript bugs, utilize aspect-preserving mutation techniques, implement fuzzing on JavaScript engines, and evaluate the effectiveness of leveraging aspects in bug discovery. The course covers skills such as preprocessing for typed-AST, type analysis (both dynamic and static), input generation, and various mutation techniques. The teaching method includes theoretical explanations, case studies, implementation demonstrations, and evaluations. This course is intended for individuals interested in cybersecurity, software testing, JavaScript development, or bug discovery in JavaScript engines.
Fuzzing JavaScript Engines with Aspect-Preserving Mutation
Overview
Syllabus
Everyone uses web browser (+ JS engine)
Finding JS bugs is hard
Motivating example • Special conditions are necessary to discover new bug from old ones
Aspects
DIE overview
Preprocessing for typed-AST
Type Analysis: dynamic analysis
Type Analysis: static analysis
Input generation
Aspect-preserving mutation
Type-preserving mutation
Structure-preserving mutation
Execution with instrumented JS engine
Implementation
Fuzzing JS engines in the wild
Evaluation: effectiveness of leveraging aspect
Case study: CVE-2019-0990
Evaluation: aspect preserving
Evaluation: validity of generated input
Evaluation: comparison w/ state-of-the-art fuzzers
Conclusion
Taught by
IEEE Symposium on Security and Privacy
