Weaver: Fuzzing JavaScript Engines at the JavaScript-WebAssembly Boundary

TL;DR

Weaver is a specialized greybox fuzzing framework designed to identify vulnerabilities at the JavaScript-WebAssembly boundary, effectively exploring cross-language interactions and uncovering high-severity bugs in JS engines.

Contribution

Weaver introduces a type-aware generation strategy and an intelligent scheduling algorithm to effectively fuzz JS-Wasm interactions, a previously underexplored attack surface.

Findings

Achieves higher code coverage than existing fuzzers

Uncovered two new bugs in JS engines, including a high-severity vulnerability

Demonstrates practicality and effectiveness in real-world JS engine testing

Abstract

The security of modern JavaScript (JS) engines is critical since they provide the primary defense mechanism for executing untrusted code on the web. The recent integration of WebAssembly (Wasm) has transformed these engines into complex polyglot environments, creating a novel attack surface at the JS-Wasm interaction boundary due to the distinct type systems and memory models of two languages. This boundary remains largely underexplored, as previous works mainly focus on testing JS and Wasm as two isolated entities rather than investigating the security implications of their cross-language interactions. This paper proposes Weaver, an effective greybox fuzzing framework specifically tailored to uncover vulnerabilities at the JS-Wasm boundary. To comply with the language constraints, Weaver uses a type-aware generation strategy, meticulously maintaining the dual-type representation for every generated variables. This allows fuzzer to validly utilize variables across the language boundary. Besides, Weaver leverages the UCB-1 algorithm to intelligently schedule mutators and generators to maximize the discovery of new code paths. We have implemented and evaluated Weaver on three JS engines. The results indicate that Weaver achieves superior code coverage compared to state-of-the-art fuzzers. Moreover, Weaver has uncovered two new bugs in the latest versions of these engines, one of which is considered high severity and set to highest priority, demonstrating the practicality of Weaver.