子树类型敏感的JavaScript引擎灰盒测试技术

王聪冲; 甘水滔; 王晓锋

引用本文：

王聪冲,甘水滔,王晓锋.子树类型敏感的JavaScript引擎灰盒测试技术[J].信息安全学报,2021,6(4):119-131 [点击复制]
WANG Congchong,GAN Shuitao,WANG Xiaofeng.Subtree Type Sensitive Greybox Testing Technique of JavaScript Engines[J].Journal of Cyber Security,2021,6(4):119-131 [点击复制]

本文已被：浏览 3995次下载 3485次	码上扫一扫！
子树类型敏感的JavaScript引擎灰盒测试技术
王聪冲¹, 甘水滔², 王晓锋¹
0 字体:加大+\|默认\|缩小-
(1.江南大学人工智能与计算机学院无锡中国 214122;2.数字工程与先进计算国家重点实验室无锡中国 214083)

摘要:

JavaScript引擎是浏览器的重要组成部分，很多攻击都针对JavaScript引擎发起，业界对面向JavaScript引擎的漏洞挖掘技术一直展现出强烈的需求。本文提出一种面向JavaScript引擎的子树类型敏感灰盒测试技术，并且实现了系统ILS，在路径反馈的模糊测试框架上，通过对JavaScript代码的语法分析，构建子树类型敏感的变异策略，能够大幅提升测试种子的有效率，从而驱动更高的代码覆盖能力和漏洞发现能力。通过将ILS和多个主流JavaScript引擎漏洞挖掘工具Superion、CodeAlchemist进行性能对比，在Jerryscript、ChakraCore和JavaScriptCore等典型JavaScript引擎对象上的测试实验表明：ILS在24 h内，其种子测试有效率上提升36%，代码行覆盖率上能提升72%，代码函数覆盖率上能提升80%，漏洞发现效率上提升100%。最后，ILS在这3个JavaScript引擎总共发现26个未知Bug，并得到厂商的确认和修复。

关键词: 路径反馈模糊测试 JavaScript引擎抽象语法树子树类型敏感

DOI：10.19363/J.cnki.cn10-1380/tn.2021.07.08

投稿时间：2020-09-18修订日期：2020-12-11

基金项目:本课题得到国家自然科学基金项目（No.61672264，No.61972182），国家重点研发计划项目（No.2016YFB0800305）资助。

Subtree Type Sensitive Greybox Testing Technique of JavaScript Engines

WANG Congchong¹, GAN Shuitao², WANG Xiaofeng¹

(1.School of Artificial Intelligence and Computer Science, Jiangnan University, Wuxi 214122, China;2.State Key of Laboratory of Mathematical Engineering and Advanced Computing, Wuxi 214083, China)

Abstract:

JavaScript engine is critical part of any browser. Many attacks of browser are launched from JavaScript engine that bringing strong demand to industry for vulnerability analysis of JavaScript engine. In this paper, we propose a new subtree type-sensitive gray box testing technology for JavaScript engine, and implement a prototype System that called ILS. Through designing a subtree type sensitive mutation strategy based on the path feedback fuzzing framework with syntax analysis on JavaScript code, ILS could greatly improve the effectiveness of test cases generation, that driving higher code coverage and vulnerability discovery capabilities. By comparing ILS with other typical tools Superion and CodeAlchemist on three familiar JavaScript engines (i.e., Jerryscript,ChaKraCore and JavaScriptCore), ILS could reach 36% more seed generation efficiency, 72% more line coverage, 80% more function coverage, and find 100% more bugs in 24 hours. Moreover, ILS found 26 new bugs in this three JavaScript engines.

Key words: path feedback fuzzing JavaScript engine abstract syntax tree subtree type-sensitive