Tacoma: Enhanced Browser Fuzzing with Fine-Grained Semantic Alignment
Browsers are responsible for managing and interpreting the diverse data coming from the web. Despite the considerable efforts of developers, however, it is nearly impossible to completely eliminate potential vulnerabilities in such complicated software. While a family of fuzzing techniques has been proposed to detect flaws in web browsers, they still face the inherent challenge of generating test inputs with low semantic correctness and poor diversity.
In this paper, we propose Tacoma, a novel fuzzing framework tailored for web browsers. Tacoma comprises three main modules: a semantic parser, a semantic aligner, and an input generator. By taking advantage of fine-grained semantic alignment techniques, Tacoma is capable of generating semantically correct test inputs, which significantly improve the probability of a fuzzer in triggering a deep browser state. In particular, by integrating a scope-aware strategy into input generation, Tacoma is able to deal with asynchronous code generation, thereby substantially increasing the diversity of the generated test inputs. We conduct extensive experiments to evaluate Tacoma on three production-level browsers, i.e., Chromium, Safari, and Firefox. Empirical results demonstrate that Tacoma outperforms state-of-the-art browser fuzzers in both achieving code coverage and detecting unique crashes. So far, Tacoma has identified 32 previously unknown bugs, 10 of which have been assigned CVEs. It is worth noting that Tacoma unearthed two bugs in Chromium that have remained undetected for ten years.
Thu 19 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 14:50 | WebAssembly and BrowsersTechnical Papers at EI 10 Fritz Paschke Chair(s): Stefan Brunthaler μCSRL, CODE Research Institute, University of the Bundeswehr Munich | ||
13:30 20mTalk | Tacoma: Enhanced Browser Fuzzing with Fine-Grained Semantic Alignment Technical Papers Jiashui Wang Zhejiang University, Peng Qian Zhejiang University, Xilin Huang Ant Group, Xinlei Ying Ant Group, Yan Chen Northwestern University, Shouling Ji Zhejiang University, Jianhai Chen Zhejiang University, Jundong Xie Ant Group, Long Liu Ant Group DOI | ||
13:50 20mTalk | WASMaker: Differential Testing of WebAssembly Runtimes via Semantic-Aware Binary Generation Technical Papers Shangtong Cao Beijing University of Posts and Telecommunications, Ningyu He Peking University, Xinyu She Huazhong University of Science and Technology, Yixuan Zhang Peking University, Mu Zhang University of Utah, Haoyu Wang Huazhong University of Science and Technology DOI | ||
14:10 20mTalk | Wapplique: Testing WebAssembly Runtime via Execution Context-Aware Bytecode Mutation Technical Papers DOI |