论文标题
蒙太奇:神经网络语言模型引导的JavaScript引擎Fuzzer
Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
论文作者
论文摘要
JavaScript(JS)引擎漏洞构成了影响数十亿个Web浏览器的重大安全威胁。虽然模糊是发现这种漏洞的普遍技术,但很少有研究能够利用神经网络语言模型(NNLMS)的最新进展。在本文中,我们提出了蒙太奇,这是第一个用于查找JS发动机漏洞的NNLM引导的Fuzzer。我们技术的关键方面是将JS抽象语法树(AST)转换为一系列AST子树,该子树可以直接训练盛行的NNLM。我们证明,蒙太奇能够生成有效的JS测试,并表明它在发现脆弱性方面表现优于以前的研究。 Montage在最新的JS发动机中发现了37个现实世界中的错误,其中包括三个CVE,证明了其在查找JS引擎错误方面的功效。
JavaScript (JS) engine vulnerabilities pose significant security threats affecting billions of web browsers. While fuzzing is a prevalent technique for finding such vulnerabilities, there have been few studies that leverage the recent advances in neural network language models (NNLMs). In this paper, we present Montage, the first NNLM-guided fuzzer for finding JS engine vulnerabilities. The key aspect of our technique is to transform a JS abstract syntax tree (AST) into a sequence of AST subtrees that can directly train prevailing NNLMs. We demonstrate that Montage is capable of generating valid JS tests, and show that it outperforms previous studies in terms of finding vulnerabilities. Montage found 37 real-world bugs, including three CVEs, in the latest JS engines, demonstrating its efficacy in finding JS engine bugs.
