FLAREFUZZ: Fuzzing Javascript Engines via Deep Learning

Abstract

During the past few years, Fuzz testing has been a popular technique for finding bugs in software. It continuously inputs a large number of test cases into the target program and monitors the execution status to discover potential vulnerabilities. The efficiency of fuzzing tools heavily relies on the quality of test cases. However, Fuzz testing faces a challenge due to the specific input requirements of many software applications. The JavaScript engine is used to interpret and execute JavaScript files, and it requires that the input files should meet the syntax and semantic rules of JavaScript. Traditional fuzzing tools usually ignore the file format requirements and struggle to generate valid test cases, which makes it difficult to expose deep vulnerabilities in JavaScript engines. To address this challenge and enhance the quality of test cases, this paper proposes a novel fuzz testing approach leveraging deep learning techniques, named FlareFuzz. FlareFuzz utilizes a GRU network to learn syntax and semantic knowledge from AST and CFG of JavaScript programs. The structured representation of the code contains rich semantic information, which helps the deep learning model capture the latent semantic rules from the corpus. In addition, the performance of the GRU network makes it more suitable for fuzz testing since it is faster than LSTM and effectively captures long-distance dependencies in sequences. Thus, the introduction of GRU helps FlareFuzz achieve high efficiency. Evaluations indicate that FlareFuzz performs better than previous approaches in generating test cases. Furthermore, experiments conducted on mainstream JavaScript engines demonstrate that FlareFuzz also performs well in real scenarios.