Embed Size (px)
Citation preview
Sophia Antipolis, French Riviera20-22 October 2015
Fuzz Testing of Web BrowsersPresented by Renata Hodovan
© All rights reserved
Outline
2
• Principles of random testing• Pros & Cons of fuzzing• How to fuzz a browser?• Evaluation of a real life framework
© All rights reserved
Principles of Fuzz Testing
3
• Idea: Stress testing the target with deformed inputs• Expected bugs (primarily):
Implementation mistakesNon-semantic issues
• Automated testing
© All rights reserved
Possible Issue Types
4
• Stability issuesCrashesMemory corruptionsHangs
• Semantic issuesAssertion failuresOutput mismatch with an oracle
© All rights reserved
Pros & Cons
5
• ProsIt works! :-)Fast and cheapNo need for source codePortable
• ConsSmart fuzzing can be challenging
© All rights reserved
How to Fuzz a Browser?
© All rights reserved
What do You Need ?
7
• Evil test generator algorithm• Transfer mechanism• Monitoring framework
© All rights reserved
Browser Fuzzing Framework
8 © All rights reserved
Test
Test
Test
Variations for Generators
9
• Random noise• Mutation based• Generation based• Combination of the above
© All rights reserved
First Steps ...
10
• Tests with random character sequences• Pros:
Fast and easy to implement
• Cons:Mostly fails on the first checksNot able to find complex errors
• Found bug in WebKit (Apple Safari)ᠶʐ
© All rights reserved
Mutation Based Approaches
11
• Idea: the most error-prone tests are the almost good ones• Let's mess up existing tests!• Pros:
Still easy to implementMuch more effective than purely random
• Cons:The variety of possible tests depends on the initial test set
© All rights reserved
Mutation Based Approaches
12
• Ingredients:
Existing test casesParser for the testsTest domain (in)competence
© All rights reserved
Mutation Based Approaches
13
• Replace tokens with random contents:
<applet code="good.class"></applet>
<applet code="foo.bar"></applet>
(Google Chrome issue)
© All rights reserved
Generation Based Approach
14
• Ingredients:
Model/grammar describing the input formatE.g., in BNF format
Automatism that processes the description and generates a fuzzerANTLR
© All rights reserved
Generation Based Approach
15 © All rights reserved
ANTLRJAVA
Fuzzergrammar
Inputgrammar
Generation Based Approach
16
• Pros:Not bound to any input test setEasier to extendIncreased coverage
• Cons:Needs much more preliminary work
© All rights reserved
How to Obtain the Input Grammar?
17
• Make your hands dirty! Write it yourself!• Extract it from standards
E.g., from XSD or IDL definitionsThey can be processed automatically
• Extract from existing test casesUncover undocumented features
• Combine all of them
© All rights reserved
Further Challenges
18
• Grammars can only describe syntactic requirements but not semantic ones. E.g.,:
Variable matchingUsing functions with “correct” parameter listBuilding valid relations between XML nodes
• Solution:Adding semantic information manually
E.g., using symbol tables
© All rights reserved
How to Obtain the Input Grammar?
19
• Make your hands dirty! Write it yourself!• Extract it from standards
E.g., from XSD or IDL definitionsThey can be processed automatically
• Extract from existing test casesUncover undocumented features
• Combine all of them
© All rights reserved
Generation Based Approach
20
function f_0(){
for(var v_0 in [10]){
try {
for(var v_1 in [10])
return;
} finally {}
}
}
for(var v_2 in f_0()) {}
(JavaScriptCore issue)
© All rights reserved
Fuzzinator
© All rights reserved
Features
22
• Supported languagesHTMLSVGMathMLCSSJavaScriptCombinations of the above
© All rights reserved
• Applied techniquesMutationGeneration
• Grammar sourcesHand-writtenExtracted from XSD, IDL, web standards
• Advanced featuresID matching, self adapting weights
Results in Numbers
23 © All rights reserved
Engine Number of bugs
Google Chrome 274
Apple Safari 257
Jerryscript (JS engine) 96
Questions?
24 © All rights reserved
