Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/timobrembeck/jit-fuzzer

A fuzzing setup for JS JIT compilers, implemented for the JavaScriptCore (webkit) engine.
https://github.com/timobrembeck/jit-fuzzer

afl afl-fuzz afl-fuzzer aflpluspplus fuzz-testing fuzzilli fuzzing javascriptcore jit-compiler qemu webkit

Last synced: 2 months ago
JSON representation

A fuzzing setup for JS JIT compilers, implemented for the JavaScriptCore (webkit) engine.

Host: GitHub
URL: https://github.com/timobrembeck/jit-fuzzer
Owner: timobrembeck
License: gpl-3.0
Created: 2020-03-20T12:26:24.000Z (almost 5 years ago)
Default Branch: develop
Last Pushed: 2023-03-14T18:10:58.000Z (almost 2 years ago)
Last Synced: 2024-01-23T02:14:48.373Z (about 1 year ago)
Topics: afl, afl-fuzz, afl-fuzzer, aflpluspplus, fuzz-testing, fuzzilli, fuzzing, javascriptcore, jit-compiler, qemu, webkit
Language: Python
Homepage:
Size: 142 KB
Stars: 6
Watchers: 4
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

[![Docker](https://img.shields.io/badge/DockerHub-timoludwig%2Fjit--fuzzer-blue?logo=docker)](https://hub.docker.com/r/timoludwig/jit-fuzzer)
[![License](https://img.shields.io/badge/License-GPL%203.0-green.svg)](https://opensource.org/licenses/GPL-3.0)

## :warning: This project is no longer maintained

For current research on this topic, see for example:
- Bernhard, L., Scharnowski, T., Schloegel, M., Blazytko, T., & Holz, T. (2022). __JIT-Picking: Differential Fuzzing of JavaScript Engines.__ _Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security._ https://doi.org/10.1145/3548606.3560624
- Groß, S., Koch, S., Bernhard, L., Holz, T., & Johns, M. (2023). __Fuzzilli: Fuzzing for JavaScript Jit Compiler vulnerabilities.__ _Proceedings 2023 Network and Distributed System Security Symposium._ https://doi.org/10.14722/ndss.2023.24290

# jit-fuzzer

A fuzzing setup for JS JIT compilers using a combination of Fuzzilli and AFLplusplus, implemented for the JavaScriptCore (WebKit) engine.

## Quickstart

You can use the pre-built docker image hosted on [Docker Hub](https://hub.docker.com/repository/docker/timoludwig/jit-fuzzer):

```
docker pull timoludwig/jit-fuzzer
docker run --name jit-fuzzer timoludwig/jit-fuzzer
```

## Detailed instructions

Clone the repository including its submodules:

| Protocol | Command |
| -------- | --------------------------------------------------------------------------------------- |
| HTTPS | `git clone --recurse-submodules --jobs 3 https://github.com/timoludwig/jit-fuzzer.git` |
| SSH | `git clone --recurse-submodules --jobs 3 [email protected]:timoludwig/jit-fuzzer.git` |

Pull new commits including submodules:

```
git pull
git submodule update --jobs 3
```

If you want to modify and/or build the project yourself, you have the choice between Docker and a native Linux installation:

Docker
Native Linux

Compile patched versions of Fuzzilli, AFLplusplus and WebKit (this may take a while, even on modern hardware):


docker build -t jit-fuzzer .


make

Generate interesting js samples with Fuzzilli and fuzz their JIT-compiled code in AFL:

First run (create container from image):


docker run --name jit-fuzzer jit-fuzzer

Subsequent runs (start of existing container):


docker start jit-fuzzer

docker logs -f jit-fuzzer


./fuzz.sh

## How does it work?
[![Control-flow graph](https://github.com/timoludwig/jit-fuzzer/raw/assets/jit-fuzzer.svg)](https://github.com/timoludwig/jit-fuzzer/blob/assets/jit-fuzzer.svg)