Recent browser exploits show that single vulnerabilities in JavaScript engines still often allow for powerful code execution exploits. Within these engines, just-in-time compilers solve the particularly hard problem of generating highly optimized native code in the presence of dynamic typing and complex language semantics. In a race for performance against competitors, features are added to the compilers at a high rate and make them interesting targets for bug hunting. What often leads to exploitable conditions is the imprecise modeling of subtle JavaScript semantics during aggressive optimization passes, but verifying the different assumptions via manual auditing is a tedious task. We propose that targeted fuzzing that incorporates problematic code patterns can help uncover many such edge cases.
We show the design of a highly scalable, engine-agnostic fuzzer that generates exotic JavaScript code for stress-testing JIT compilers. With a budget of under $1000 running on 2000 cores, it has produced hundreds of unique crashes across V8, Spidermonkey, JavaScriptCore and ChakraCore, more than 10 of which we managed to exploit reliably. As an example, we will walk through the root cause analysis and exploitation process for a code execution bug that affected the release version of Firefox.