KOP-Fuzzer: A Key-Operation-based Fuzzer for Type Confusion Bugs in JavaScript Engines

JavaScript (JS) engines are a core component of a lot of software, such as web browsers, PDF readers and flash players. There has been much research on finding JS engine vulnerabilities. However, due to the fact that a JS engine's input space is infinite and the vulnerability triggering conditions are extremely strict, it is difficult to generate test cases that are able to trigger deep logic errors in fuzzing. This paper aims to explore an approach which incorporates the human experience into fuzzing. We propose a Key-Operation-based Fuzzer (KOP-Fuzzer), to explore the type confusion vulnerabilities in JS engines. Based on human knowledge, we summarize a trigger model and extract key operations for type confusion vulnerabilities in JS engines. We use clustering to extract the key-operation methods from the engine's source code and develop a fuzzing system for key -operation mutation. Our experimental results demonstrate that the KOP-Fuzzer generates valid test cases with 1.5x fewer runtime errors, while also improving the edge coverage (2.082 %) and key-operation coverage (6.452 %), when compared with the state-of-the-art JS engine fuzzers. The KOP-Fuzzer discovered a total of 21 new bugs in ChakraCore and JavaScriptCore, where 16 of them are caused by the engine's incorrect handling of key operations and 5 of them are caused by type confusions.