Skip to content

A fuzzing setup for JS JIT compilers, implemented for the JavaScriptCore (webkit) engine.

License

Notifications You must be signed in to change notification settings

timobrembeck/jit-fuzzer

Repository files navigation

Docker License

⚠️ This project is no longer maintained

For current research on this topic, see for example:

  • Bernhard, L., Scharnowski, T., Schloegel, M., Blazytko, T., & Holz, T. (2022). JIT-Picking: Differential Fuzzing of JavaScript Engines. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/3548606.3560624
  • Groß, S., Koch, S., Bernhard, L., Holz, T., & Johns, M. (2023). Fuzzilli: Fuzzing for JavaScript Jit Compiler vulnerabilities. Proceedings 2023 Network and Distributed System Security Symposium. https://doi.org/10.14722/ndss.2023.24290

jit-fuzzer

A fuzzing setup for JS JIT compilers using a combination of Fuzzilli and AFLplusplus, implemented for the JavaScriptCore (WebKit) engine.

Quickstart

You can use the pre-built docker image hosted on Docker Hub:

docker pull timoludwig/jit-fuzzer
docker run --name jit-fuzzer timoludwig/jit-fuzzer

Detailed instructions

Clone the repository including its submodules:

Protocol Command
HTTPS git clone --recurse-submodules --jobs 3 https://github.com/timoludwig/jit-fuzzer.git
SSH git clone --recurse-submodules --jobs 3 [email protected]:timoludwig/jit-fuzzer.git

Pull new commits including submodules:

git pull
git submodule update --jobs 3

If you want to modify and/or build the project yourself, you have the choice between Docker and a native Linux installation:

Docker Native Linux
Compile patched versions of Fuzzilli, AFLplusplus and WebKit (this may take a while, even on modern hardware):
docker build -t jit-fuzzer .
make
Generate interesting js samples with Fuzzilli and fuzz their JIT-compiled code in AFL: First run (create container from image):
docker run --name jit-fuzzer jit-fuzzer
Subsequent runs (start of existing container):
docker start jit-fuzzer
docker logs -f jit-fuzzer
./fuzz.sh

How does it work?

Control-flow graph