Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
Suyoung Lee, HyungSeok Han, Sang Kil Cha, Sooel Son
TL;DR
Montage is a novel neural network language model-guided fuzzer that effectively detects JavaScript engine vulnerabilities by transforming ASTs into sequences for training, outperforming previous methods and discovering multiple real-world bugs.
Contribution
This paper introduces Montage, the first NNLM-guided JavaScript fuzzer that transforms ASTs into sequences for effective vulnerability detection.
Findings
Montage found 37 real-world bugs, including three CVEs.
It outperforms previous fuzzing techniques in vulnerability discovery.
Montage can generate valid JavaScript tests from AST sequences.
Abstract
JavaScript (JS) engine vulnerabilities pose significant security threats affecting billions of web browsers. While fuzzing is a prevalent technique for finding such vulnerabilities, there have been few studies that leverage the recent advances in neural network language models (NNLMs). In this paper, we present Montage, the first NNLM-guided fuzzer for finding JS engine vulnerabilities. The key aspect of our technique is to transform a JS abstract syntax tree (AST) into a sequence of AST subtrees that can directly train prevailing NNLMs. We demonstrate that Montage is capable of generating valid JS tests, and show that it outperforms previous studies in terms of finding vulnerabilities. Montage found 37 real-world bugs, including three CVEs, in the latest JS engines, demonstrating its efficacy in finding JS engine bugs.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware Testing and Debugging Techniques · Software Engineering Research · Web Application Security Vulnerabilities