Research on a Fuzzing Method for JavaScript Engines Based on Dynamic Semantic Feedback#br#

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (11): 1031-.

Previous Articles Next Articles

Research on a Fuzzing Method for JavaScript Engines Based on Dynamic Semantic Feedback#br#

Liu Boqiang and Chen Zemao

(School of Cyber Science and Engineering, Wuhan University, Wuhan 430072)
(Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072)

Online:2025-11-27 Published:2025-11-27

基于动态语义反馈的JavaScript引擎模糊测试方法研究

刘博强陈泽茂

(武汉大学国家网络安全学院武汉430072)
(空天信息安全与可信计算教育部重点实验室(武汉大学)武汉430072)

通讯作者: 陈泽茂博士，教授，博士生导师.主要研究方向为信息物理系统安全、可信计算和信息安全. chenzemao@whu.edu.cn
作者简介:刘博强硕士.主要研究方向为软件安全、漏洞挖掘. 3303972348@qq.com 陈泽茂博士，教授，博士生导师.主要研究方向为信息物理系统安全、可信计算和信息安全. chenzemao@whu.edu.cn

Abstract

Abstract: JavaScript is extensively utilized in development scenarios such as servers and embedded devices. As the compiler and executor of JavaScript, the JavaScript engine is particularly vulnerable to security flaws, which can easily result in significant security incidents. Consequently, JavaScript engines fuzzing has been a research hotspot. However, existing fuzzing techniques for JavaScript engines often suffer from issues such as low test case validity and insufficient diversity. To address these challenges, this paper introduces a novel fuzzing approach grounded in dynamic semantic feedback. By dynamically collecting, analyzing, and feeding back runtime semantic information, the proposed method improves the validity of test cases. On this basis, the mutation strategies of expression replacement and function creation are employed to enhance the syntactic exploration capability of the test cases. This paper implemented a prototype system, DSFfuzz. In a comparative fuzzing experiments using the JerryScript engine, DSFfuzz demonstrated an average improvement of 11.81% in test case validity compared to three stateoftheart approaches and identified the highest number of crashes, including 15 unique ones. These results validate the effectiveness of the proposed method.

Key words: JavaScript engine, fuzzing, abstract syntax tree, code brick assembly, dynamic semantic feedback

摘要： JavaScript在服务器、嵌入式设备等开发场景中广泛应用，JavaScript引擎作为其编译和执行器，其中的安全漏洞极易引发大范围安全事件，因此针对JavaScript引擎的模糊测试成为研究热点.现有JavaScript引擎模糊测试技术生成的测试用例存在有效率低、多样性不足等问题.针对这些问题，提出一种基于动态语义反馈的模糊测试方法，通过运行时语义信息的动态收集、分析和反馈机制辅助测试用例生成，提高测试用例的有效率.在此基础上，采用表达式替换和函数创建等用例变异策略，提高测试用例的语法探索能力.实现了JavaScript引擎模糊测试原型系统DSFfuzz，在JerryScript引擎的模糊测试对比实验中，DSFfuzz相较于3个先进工作测试用例有效率平均提升了11.81%，且触发的独特崩溃最多，发现了15个独特崩溃，证明了该方法的有效性.

关键词: JavaScript引擎, 模糊测试, 抽象语法树, 代码块组装, 动态语义反馈

CLC Number:

TP393

刘博强, 陈泽茂, . 基于动态语义反馈的JavaScript引擎模糊测试方法研究[J]. 信息安全研究, 2025, 11(11): 1031-.

References

［1］Wang Junjie, Chen Bihuan, Wei Lei, et al. Superion: Grammaraware greybox fuzzing［C］ Proc of the 41st IEEEACM Int Conf on Software Engineering (ICSE). Piscataway, NJ: IEEE, 2019: 724735［2］Gro S, Koch S, Bernhard L, et al. Fuzzilli: Fuzzing for javascript JIT compiler vulnerabilities［C］ Proc of Network and Distributed Systems Security (NDSS) Symposium. San Diego, CA: Internet Society, 2023［3］Ye Guixin, Hu Tianmin, Tang Zhanyong, et al. A generative and mutational approach for synthesizing bugexposing test cases to guide compiler fuzzing［C］ Proc of the 31st ACM Joint European Software Engineering Conf and Symp on the Foundations of Software Engineering. New York: ACM, 2023: 11271139［4］Dinh S T, Cho H, Martin K, et al. Favocado: Fuzzing the binding code of javascript engines using semantically correct test cases［C］ Proc of the Network and Distributed System Security (NDSS) Symposium. San Diego, CA: Internet Society, 2021［5］汪美琴, 夏旸, 贾琼, 等. 模糊测试技术的研究进展与挑战［J］. 信息安全研究, 2024, 10(7): 668674［6］王洪义, 沙乐天. 基于静态分析和模糊测试的路由器漏洞检测方法［J］. 信息安全研究, 2024, 10(1): 4047［7］Park S, Xu W, Yun I, et al. Fuzzing javascript engines with aspectpreserving mutation［C］ Proc of the 2020 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2020: 16291642［8］Ye Guixin, Tang Zhanyong, Tan Shin Hwei, et al. Automated conformance testing for javascript engines via deep compiler fuzzing［C］ Proc of the 42nd ACM SIGPLAN Int Conf on Programming Language Design and Implementation. New York: ACM, 2021: 435450［9］He Xiaoyu, Xie Xiaofei, Li Yuekang, et al. SoFi: Reflectionaugmented fuzzing for javascript engines［C］ Proc of the 2021 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2021: 22292242［10］Ma Haoyang. A survey of modern compiler fuzzing［J］. arXiv preprint, arXiv:2306.06884, 2023［11］Xu H, Jiang Z, Wang Y, et al. Fuzzing JavaScript engines with a graphbased IR［C］ Proc of the 2024 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2024: 37343748［12］Wang Junjie, Zhang Zhiyi, Liu Shuang, et al. FuzzJIT: Oracleenhanced fuzzing for JavaScript engine JIT compiler［C］ Proc of the 32nd USENIX Security Symposium (USENIX Security 23). Berkeley, CA: USENIX Association, 2023: 18651882［13］Han H S, Oh D H, Cha S K. CodeAlchemist: Semanticsaware code generation to find vulnerabilities in javaScript engines［C］ Proc of the Network and Distributed System Security (NDSS) Symposium. San Diego, CA: Internet Society, 2019［14］Sebastien R. dotnetesprima［CPOL］. ［20240409］. https:github.comsebastienrosesprimadotnet［15］Michal Z. Americanfuzzy lop［CPOL］. ［20210705］. https:github.comgoogleAFL

[1]	. A Spectre Vulnerability Detection Method Integrating Fuzzing and #br# Taint Analysis#br# [J]. Journal of Information Security Reserach, 2025, 11(9): 822-.
[2]	. A Buildin Fuzzing Framework for Opensource BMC Firmware [J]. Journal of Information Security Reserach, 2025, 11(7): 611-.
[3]	. Router Vulnerability Detection Method Based on Static Analysis and Fuzzing [J]. Journal of Information Security Reserach, 2024, 10(1): 40-.
[4]	. Survey of Coverage-guided Grey-box Fuzzing [J]. Journal of Information Security Reserach, 2022, 8(7): 643-.
[5]	. Research on Source Code Vulnerability Detection Based on Abstract Syntax Tree Compression Coding [J]. Journal of Information Security Reserach, 2022, 8(1): 35-.
[6]	. A High Code Coverage Static and Dyamic Combined Fuzzing Method [J]. Journal of Information Security Research, 2016, 2(8): 699-705.
[7]	Sun Wei Chen Lin. A C# Source Code SQL Injection Attack Detection Algorithm Based on Abstract Syntax Tree [J]. Journal of Information Security Research, 2015, 1(2): 112-125.

Research on a Fuzzing Method for JavaScript Engines Based on Dynamic Semantic Feedback#br#

基于动态语义反馈的JavaScript引擎模糊测试方法研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 7

Recommended Articles

Metrics