CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines

HyungSeok Han (KAIST), DongHyeon Oh (KAIST), Sang Kil Cha (KAIST)

JavaScript engines are an attractive target for attackers due to their
popularity and flexibility in building exploits. Current state-of-the-art
fuzzers for finding JavaScript engine vulnerabilities focus mainly on generating
syntactically correct test cases based on either a predefined context-free
grammar or a trained probabilistic language model. Unfortunately, syntactically
correct JavaScript sentences are often semantically invalid at runtime.
Furthermore, statically analyzing the semantics of JavaScript code is
challenging due to its dynamic nature: JavaScript code is generated at runtime,
and JavaScript expressions are dynamically-typed. To address this challenge, we
propose a novel test case generation algorithm that we call semantics-aware
assembly, and implement it in a fuzz testing tool termed CodeAlchemist. Our tool
can generate arbitrary JavaScript code snippets that are both semantically and
syntactically correct, and it effectively yields test cases that can crash
JavaScript engines. We found numerous vulnerabilities of the latest JavaScript
engines with CodeAlchemist and reported them to the vendors.