This is a fuzzer for lightweight JavaScript engines.
- Create a Docker image.
cd setup
docker build -t fuzzli .
- Create a Docker container.
docker run -d -it -p xxxx:22 --name fuzzli fuzzli:v1.0
Most absolute paths in the source code have been modified to support redevelopment. However, the paths for the LiJS engines remain absolute, which means that user should either ensure the path /home/fuzzli_tool/engines exit or modify the path in the source code.
The configuration file is located at resources/config.json. You typically do not need to modify this file unless you want to customize the default settings.
We provide a script to run FuzzLi. Users can choose to execute it all at once or step by step.
To run FuzzLi in one go:
cd EmbeddedFuzzer
python main.py --step=0 --size=[INPUT A NUMBER]
To run FuzzLi step by step:
cd EmbeddedFuzzer
// 1. Obtain seed programs and mutate.
python main.py --step=1 --size=[INPUT A NUMBER]
// 2. Execute differential testing.
python main.py --step=2 --size=[INPUT A NUMBER]
// 3. Reduce anomalies.
python main.py --step=3 --size=[INPUT A NUMBER]
NOTE. The --size parameter is optional. If omitted, the default value is 100. If the input size exceeds the number of available results in the database, the program will use only the available results.
Following double-blind reviewing, we are not sharing our bug list now. It will be made available after the paper is accepted.
The version information of the tested engines is as follows:
| Compiler | Version | Build No. | Source | Application |
|---|---|---|---|---|
| MuJS | V1.0.7 | 90aca80 | Artifex | Mobile devices/Embedded devices |
| V1.3.2 | 0e611cd | |||
| XS | - | 9ed5514 | Moddable | Moddable SDK |
| - | 771d593 | |||
| - | a461685 | |||
| V3.7.0 | 74aa31c | |||
| Duktape | V2.6.0 | fffa346 | - | Embedded devices |
| V2.7.0 | 03d4d72 | IoT devices | ||
| JerryScript | - | 8be6aec | Samsung | Microcontrollers |
| - | bd1c4df | |||
| - | edd2f20 | |||
| V2.4.0 | 8ba0d1b | |||
| Hermes | - | 3ed8340 | React native apps | |
| - | b6530ae | |||
| QuickJS | V2020-11-08 | b1f67df | - | Embedded devices |
| V2021-03-27 | b5e6289 |
You can find the results for each step of FuzzLi in the database file you specified in the configuration file.
| Table Name | Description |
|---|---|
| Corpus | Extracted code fragments |
| DifferentialTestResults | Results of differential testing |
| Engines | Information of the tested JS engines |
| OriginalTestcases | Seed programs |
| Outputs | Execution results of test cases |
| Testcases | Mutated test cases |
For users interested in the internal workings of FuzzLi, we provide a brief overview of its implementation.
The entry point is main.py, where the core logic is handled by the step0 method.
FuzzLi first generates seed programs using:
original_test_case = self.config.callable_processor.get_self_calling(simple)
It then mutates the seed program to produce a list of test cases:
mutated_test_case_list = self.mutate_by_flag(flag, original_test_case)
The third step is differential testing.
differential_test_result = Result.differential_test(harness_result)
Finally, anomalies are simplified using the reducer:
simplified_test_case = self.config.reducer.reduce(harness_result)
The core modules are shown below.
| Module | Path |
|---|---|
| configuration | EmbeddedFuzzer/resources/config.json |
| code snippet collection | EmbeddedFuzzer/src/Postprocessor/postprocessor.py |
| seed program generation | EmbeddedFuzzer/src/Postprocessor/callable_processor.py |
| mutation | EmbeddedFuzzer/src/Mutator |
| differential testing | EmbeddedFuzzer/src/Harness.py |
| reducer | EmbeddedFuzzer/src/Reducer |