1 Browser Fuzzing by Scheduled Mutation and Generation of Document Object Models Ying-Dar Lin 1 Feng-Ze Liao 1 Shih-Kun Huang 1 Yuan-Cheng Lai 2 1 Dept of Computer Science, National Chiao Tung University, Taiwan 2 Dept. of Information Management, National Taiwan University of Science and Technology, Taiwan Abstractβ€”Internet applications have made our daily life fruitful. However, they also cause many security problems if these applications are leveraged by intruders. Thus, it is important to find and fix vulnerabilities timely to prevent application vulnerabilities from being exploited. Fuzz testing is a popular methodology that effectively finds vulnerabilities in application programs with seed input mutation. However, it is not a satisfied solution for the web browsers. In this work, we propose a solution, called scheduled DOM fuzzing (SDF), which integrates several related browser fuzzing tools and the fuzzing framework called BFF. To explore more crash possibilities, we revise the browser fuzzing architecture and schedule seed input selection and mutation dynamically. We also propose two probability computing methods in scheduling mechanism which tries to improve the performance by determining which combinations of seed and mutation would produce more crashes. Our experiments show that SDF is 2.27 time more efficient in terms of the number of crashes and vulnerabilities found at most. SDF also has the capacity for finding 23 exploitable crashes in Windows 7 within five days. The experimental results reveals that a good scheduling method for seed and mutations in browser fuzzing is able to find more exploitable crashes than fuzzers with the fixed seed input. Keywords β€”browser fuzzing, black-box fuzzing, vulnerabilities, exploits, mutation, scheduling, document object model, DOM I. INTRODUCTION Internet applications have made our daily life fruitful. However, they also cause many security problems if these applications are leveraged by intruders. Take some historical events as examples. It could make nuclear centrifuges lose control[1] and shut down banking systems unexpectedly[2]. The intrusions are often due to the vulnerabilities in application programs. Intruders try to find vulnerabilities in an application and exploit it to get the access they need, i.e., using malformed inputs to take control of the victim system. It is therefore important to find and fix vulnerabilities as soon as possible to prevent vulnerabilities from being exploited[3]. Fuzzing is a popular methodology that effectively finds vulnerabilities in application programs[4, 5]. The mechanism is to constantly create an input, feed it into an application, and observe whether the application terminates or crashes. The reason why we are interested in finding an input that crashes a target application is that if it could crash the target, then it also has the chance to exploit the target. Hence, how to create the inputs more effectively to find crashes becomes a critical issue not only for intruders but also for application developers. In general, fuzzing can be classified into white-box fuzzing and black-box fuzzing, depending on how they create the inputs[6]. White-box fuzzing would analyze the applications to ensure that the inputs it creates are effective in finding crashes in applications. That is, an application always has many branches and then forms many possible execution flows. With the enormous input space, it would be possible to create virtually infinite inputs to exhaust all execution flows. However, white-box fuzzing tries to create less inputs to cover more possible execution flows. Recently, some solutions have been proposed. CRAXfuzz[7] identifies specific sensitive functions in advance. If an application uses some identified functions, it would determine whether the application has security vulnerabilities. If the answer is β€œyes”, it would also generate specific inputs that cause the application to crash. Coverset[8] proposes six algorithms to compute and selects the proper inputs that could maximize the code coverage. Nevertheless, white-box fuzzing is not perfect in practice. Because of too many execution flows and complex constraints in an application, it could be imprecise. Moreover, it takes much time to analyze the application. Hence, an alternative way is to randomly generate inputs without analyzing applications, which is called black-box fuzzing. Black-box fuzzing uses a seed from a data pool to generate the next input. The idea behind the black-box fuzzing is simple. First, it selects a seed, i.e., a template that feeds to the application, and then uses a method to mutate it. The general method to mutate is to change some bytes of the original seed to generate an input. Second, it feeds the input, the mutated seed, to the application and checks the result of the application. Hence, black-box fuzzing would rather generate inputs directly than take time to analyze the application. It is an effective and simple method to find vulnerabilities. zzuf[9] is an example that mutates seeds by changing some bytes and generates inputs to feed to the application. Moreover, it uses the mutation ratio as parameters to decide how many bytes should be changed. Basic Fuzzing Framework (BFF)[10] is a tool that improves the performance of black-box fuzzing. It is based on zzuf as the mutation method with a seed recycling strategy. It records the results in the past runs and determines which seed to select from the seed pool next time. The objective is to increase the number of crashes found. BFF is Linux-based, while Failure Observation Engine (FOE)[11] is Windows-based version of BFF. fuzzSim[12] tries to find an optimal seed selection algorithm based on BFF to get more number of crashes found. Although the above solutions can be used to find vulnerabilities in applications, it might not be the best solution to find any types of applications. Take Web browser as an Authorized licensed use limited to: National Chiao Tung Univ.. Downloaded on May 12,2020 at 06:21:20 UTC from IEEE Xplore. Restrictions apply.