{"id":20015167,"url":"https://github.com/timobrembeck/jit-fuzzer","last_synced_at":"2025-05-04T22:31:28.971Z","repository":{"id":198573269,"uuid":"248749568","full_name":"timobrembeck/jit-fuzzer","owner":"timobrembeck","description":"A fuzzing setup for JS JIT compilers, implemented for the JavaScriptCore (webkit) engine.","archived":false,"fork":false,"pushed_at":"2023-03-14T18:10:58.000Z","size":145,"stargazers_count":9,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"develop","last_synced_at":"2025-04-08T12:51:47.832Z","etag":null,"topics":["afl","afl-fuzz","afl-fuzzer","aflpluspplus","fuzz-testing","fuzzilli","fuzzing","javascriptcore","jit-compiler","qemu","webkit"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/timobrembeck.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-03-20T12:26:24.000Z","updated_at":"2024-08-05T17:17:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"c2f257f2-9ad4-4aef-8e49-71db16d9a141","html_url":"https://github.com/timobrembeck/jit-fuzzer","commit_stats":null,"previous_names":["timobrembeck/jit-fuzzer"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timobrembeck%2Fjit-fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timobrembeck%2Fjit-fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timobrembeck%2Fjit-fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timobrembeck%2Fjit-fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/timobrembeck","download_url":"https://codeload.github.com/timobrembeck/jit-fuzzer/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252408253,"owners_count":21743081,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afl","afl-fuzz","afl-fuzzer","aflpluspplus","fuzz-testing","fuzzilli","fuzzing","javascriptcore","jit-compiler","qemu","webkit"],"created_at":"2024-11-13T07:45:05.548Z","updated_at":"2025-05-04T22:31:28.642Z","avatar_url":"https://github.com/timobrembeck.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Docker](https://img.shields.io/badge/DockerHub-timoludwig%2Fjit--fuzzer-blue?logo=docker)](https://hub.docker.com/r/timoludwig/jit-fuzzer)\n[![License](https://img.shields.io/badge/License-GPL%203.0-green.svg)](https://opensource.org/licenses/GPL-3.0)\n\n## :warning: This project is no longer maintained\n\nFor current research on this topic, see for example:\n- Bernhard, L., Scharnowski, T., Schloegel, M., Blazytko, T., \u0026amp; Holz, T. (2022). __JIT-Picking: Differential Fuzzing of JavaScript Engines.__ _Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security._ https://doi.org/10.1145/3548606.3560624 \n- Groß, S., Koch, S., Bernhard, L., Holz, T., \u0026amp; Johns, M. (2023). __Fuzzilli: Fuzzing for JavaScript Jit Compiler vulnerabilities.__ _Proceedings 2023 Network and Distributed System Security Symposium._ https://doi.org/10.14722/ndss.2023.24290\n\n# jit-fuzzer\n\nA fuzzing setup for JS JIT compilers using a combination of Fuzzilli and AFLplusplus, implemented for the JavaScriptCore (WebKit) engine.\n\n## Quickstart\n\nYou can use the pre-built docker image hosted on [Docker Hub](https://hub.docker.com/repository/docker/timoludwig/jit-fuzzer):\n\n```\ndocker pull timoludwig/jit-fuzzer\ndocker run --name jit-fuzzer timoludwig/jit-fuzzer\n```\n\n## Detailed instructions\n\nClone the repository including its submodules:\n\n| Protocol | Command                                                                                 |\n| -------- | --------------------------------------------------------------------------------------- |\n| HTTPS    | `git clone --recurse-submodules --jobs 3 https://github.com/timoludwig/jit-fuzzer.git`  |\n| SSH      | `git clone --recurse-submodules --jobs 3 git@github.com:timoludwig/jit-fuzzer.git`      |\n\nPull new commits including submodules:\n\n```\ngit pull\ngit submodule update --jobs 3\n```\n\nIf you want to modify and/or build the project yourself, you have the choice between Docker and a native Linux installation:\n\n\u003ctable\u003e\n    \u003cthead\u003e\n        \u003ctr\u003e\n            \u003cth\u003e\u003c/th\u003e\n            \u003cth\u003eDocker\u003c/th\u003e\n            \u003cth\u003eNative Linux\u003c/th\u003e\n        \u003c/tr\u003e\n    \u003c/thead\u003e\n    \u003ctbody\u003e\n        \u003ctr\u003e\n            \u003ctd\u003eCompile patched versions of Fuzzilli, AFLplusplus and WebKit (this may take a while, even on modern hardware):\u003c/td\u003e\n            \u003ctd\u003e\n\u003cpre style=\"margin: 0; line-height: 125%\"\u003e\ndocker build -t jit-fuzzer .\n\u003c/pre\u003e\n            \u003c/td\u003e\n            \u003ctd\u003e\n\u003cpre style=\"margin: 0; line-height: 125%\"\u003e\nmake\n\u003c/pre\u003e\n            \u003c/td\u003e\n        \u003c/tr\u003e\n        \u003ctr\u003e\n            \u003ctd\u003eGenerate interesting js samples with Fuzzilli and fuzz their JIT-compiled code in AFL:\u003c/td\u003e\n            \u003ctd\u003e\n                First run (create container from image):\n\u003cpre style=\"margin: 0; line-height: 125%\"\u003e\ndocker run --name jit-fuzzer jit-fuzzer\n\u003c/pre\u003e\n                Subsequent runs (start of existing container):\n\u003cpre style=\"margin: 0; line-height: 125%\"\u003e\ndocker start jit-fuzzer\ndocker logs -f jit-fuzzer\n\u003c/pre\u003e\n            \u003c/td\u003e\n            \u003ctd\u003e\n                \u003cdiv style=\"background: #ffffff; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;\"\u003e\n\u003cpre style=\"margin: 0; line-height: 125%\"\u003e\n./fuzz.sh\n\u003c/pre\u003e\n                \u003c/div\u003e\n            \u003c/td\u003e\n        \u003c/tr\u003e\n    \u003c/tbody\u003e\n\u003c/table\u003e\n\n## How does it work?\n[![Control-flow graph](https://github.com/timoludwig/jit-fuzzer/raw/assets/jit-fuzzer.svg)](https://github.com/timoludwig/jit-fuzzer/blob/assets/jit-fuzzer.svg)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimobrembeck%2Fjit-fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftimobrembeck%2Fjit-fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimobrembeck%2Fjit-fuzzer/lists"}