PatchFuzz: Patch Fuzzing for JavaScript Engines

TL;DR

PatchFuzz is an automated JavaScript engine patch fuzzing tool that efficiently uncovers vulnerabilities by leveraging historical PoCs and patches, leading to the discovery of 54 bugs and significant bug bounty rewards.

Contribution

It introduces an end-to-end automated approach for JavaScript engine patch fuzzing that improves vulnerability detection by utilizing historical PoCs and targeted fuzzing strategies.

Findings

Discovered 54 bugs across six JavaScript engines.

Received over $62,500 in bug bounties.

Effectively automates PoC collection and targeted fuzzing.

Abstract

Patch fuzzing is a technique aimed at identifying vulnerabilities that arise from newly patched code. While researchers have made efforts to apply patch fuzzing to testing JavaScript engines with considerable success, these efforts have been limited to using ordinary test cases or publicly available vulnerability PoCs (Proof of Concepts) as seeds, and the sustainability of these approaches is hindered by the challenges associated with automating the PoC collection. To address these limitations, we propose an end-to-end sustainable approach for JavaScript engine patch fuzzing, named PatchFuzz. It automates the collection of PoCs of a broader range of historical vulnerabilities and leverages both the PoCs and their corresponding patches to uncover new vulnerabilities more effectively. PatchFuzz starts by recognizing git commits which intend to fix security bugs. Subsequently, it extracts and processes PoCs from these commits to form the seeds for fuzzing, while utilizing code revisions to focus limited fuzzing resources on the more vulnerable code areas through selective instrumentation. The mutation strategy of PatchFuzz is also optimized to maximize the potential of the PoCs. Experimental results demonstrate the effectiveness of PatchFuzz. Notably, 54 bugs across six popular JavaScript engines have been exposed and a total of $62,500 bounties has been received.