For current research on this topic, see for example:
- Bernhard, L., Scharnowski, T., Schloegel, M., Blazytko, T., & Holz, T. (2022). JIT-Picking: Differential Fuzzing of JavaScript Engines. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/3548606.3560624
- Groß, S., Koch, S., Bernhard, L., Holz, T., & Johns, M. (2023). Fuzzilli: Fuzzing for JavaScript Jit Compiler vulnerabilities. Proceedings 2023 Network and Distributed System Security Symposium. https://doi.org/10.14722/ndss.2023.24290
A fuzzing setup for JS JIT compilers using a combination of Fuzzilli and AFLplusplus, implemented for the JavaScriptCore (WebKit) engine.
You can use the pre-built docker image hosted on Docker Hub:
docker pull timoludwig/jit-fuzzer
docker run --name jit-fuzzer timoludwig/jit-fuzzer
Clone the repository including its submodules:
Protocol | Command |
---|---|
HTTPS | git clone --recurse-submodules --jobs 3 https://github.com/timoludwig/jit-fuzzer.git |
SSH | git clone --recurse-submodules --jobs 3 [email protected]:timoludwig/jit-fuzzer.git |
Pull new commits including submodules:
git pull
git submodule update --jobs 3
If you want to modify and/or build the project yourself, you have the choice between Docker and a native Linux installation:
Docker | Native Linux | |
---|---|---|
Compile patched versions of Fuzzilli, AFLplusplus and WebKit (this may take a while, even on modern hardware): |
docker build -t jit-fuzzer . |
make |
Generate interesting js samples with Fuzzilli and fuzz their JIT-compiled code in AFL: |
First run (create container from image):
docker run --name jit-fuzzer jit-fuzzerSubsequent runs (start of existing container): docker start jit-fuzzer docker logs -f jit-fuzzer |
./fuzz.sh |