javascript fuzzing

1,148 views
Skip to first unread message

Han Choongwoo

unread,
Feb 12, 2015, 3:12:34 AM2/12/15
to afl-...@googlegroups.com
Hi.

I wanna share my experiences.

I tried to made afl-fuzz, which is specialized for JavaScript, during winter internship in Naver corp.

here is my repo:
(It's from version 1.06b and some 1.18b)

I implemented three things.
1. Extract auto dictionary using comment
2. Sometimes use threshold to ignore small flow changes.
3. find start position (skip initialization) for better performance.

To find start position, I used ptrace.
First, find position, which open or read my input.
After finding, restart and setup fork server at right before the found position.
through this, performance increases 2x ~ 3x in JavaScriptCore of Webkit.

But, This method is not for general.
For example, it does not work on v8, because of isolate? I don't know..
Also, There are many other cases we cannot expect.
So, I added function that user can define start position by himself.
I think it is good enough, if it cannot be done automatically.

Whatever, it works well in JavaScriptCore.

I found some crahses like
----
var{A}
----
function f(arguments) {
var arguments;
f.apply(null, ['']);
}
f('')
----

Michal Zalewski

unread,
Feb 12, 2015, 3:28:56 AM2/12/15
to afl-users
> https://github.com/tunz/afl-fuzz-js

Thanks for sharing!

> through this, performance increases 2x ~ 3x in JavaScriptCore of Webkit.
> But, This method is not for general.
> For example, it does not work on v8, because of isolate? I don't know..

JSC can be convinced to run as a single thread; V8... well, I haven't
found a way. It's possible that this is the part causing problems for
you: AFL fork server can't replicate threads (an unfortunate
limitation of un*x), so if your stop point is after any important
threads have been spawned, the whole thing will malfunction :-(

> https://bugs.webkit.org/show_bug.cgi?id=141070
> https://bugs.webkit.org/show_bug.cgi?id=141028
> https://bugs.webkit.org/show_bug.cgi?id=141194
> https://bugs.webkit.org/show_bug.cgi?id=141187
> https://code.google.com/p/v8/issues/detail?id=3850

Nice :-)

/mz

Thomas Jarosch

unread,
Feb 12, 2015, 5:10:11 PM2/12/15
to afl-...@googlegroups.com
Hi,

On 02/12/2015 09:12 AM, Han Choongwoo wrote:
> here is my repo:
> https://github.com/tunz/afl-fuzz-js
> (It's from version 1.06b and some 1.18b)

one question regarding this commit:
https://github.com/tunz/afl-fuzz-js/commit/a9fa1f3c53681d1600babaf556f6ccf1173cc821

It adds support to disable ASLR. Was that needed
for the user defined start point support? Any other benefit?

Cheers,
Thomas

Han Choongwoo

unread,
Feb 12, 2015, 8:01:53 PM2/12/15
to afl-...@googlegroups.com

 
It adds support to disable ASLR. Was that needed
for the user defined start point support? Any other benefit?

In my implementation, it find start address for fork server.
But, the address can be changed if ASLR is enabled.
(e.g., if the found point is on library, or if PIE is enabled, ...)
so, I disabled ASLR for these cases.

adi t

unread,
May 31, 2020, 12:10:39 PM5/31/20
to afl-users
Hi Michael,

I know this an old post, but do you remember how can jsc be convinced to run single-thread?

been messing with this for a while now, and I think it's for this reason it messes my instrumentation. thank you!

Destiny Granger-Kelley

unread,
Jun 6, 2020, 4:40:19 AM6/6/20
to afl-users
Screenshot_20200606-012911.png
Screenshot_20200606-010620.png
Screenshot_20200605-222945.png
Screenshot_20200605-220608.png
Reply all
Reply to author
Forward
0 new messages