转:The Great DOM Fuzz-off of 2017
The Great DOM Fuzz-off of 2017
Introduction
The fuzzer
- The base engine that can generate a sample given an input grammar. This part is intentionally fairly generic and can be applied to other problems besides just DOM fuzzing.//通用并且适合DOMfuzz之外的
- The main script that parses the arguments and uses the base engine to create samples. Most logic that is DOM specific is captured in this part.//解析参数并创建例子
- A set of grammars for generating HTML, CSS and JavaScript code.//语法
- I initially extracted DOM API declarations from .idl files in Google Chrome Source. Similarly, I parsed Chrome’s layout tests to extract common (and not so common) names and values of various HTML and CSS properties.
- Afterwards, this automatically extracted data was heavily manually edited to make the generated samples more likely to trigger interesting behavior. One example of this are functions and properties that take strings as input: Just because a DOM property takes a string as an input does not mean that any string would have a meaning in the context of that property.
- Generating multiple JavaScript functions that can be used as targets for various DOM callbacks and event handlers
- Implicit (through grammar definitions) support for “interesting” APIs (e.g. the Range API) that have historically been prone to bugs.
Setup
- Google Chrome was fuzzed on an internal Chrome Security fuzzing cluster called ClusterFuzz. To fuzz Google Chrome on ClusterFuzz we simply needed to upload the fuzzer and it was run automatically against various Chrome builds.
- Mozilla Firefox was fuzzed on internal Google infrastructure (linux based). Since Mozilla already offers Firefox ASAN builds for download, we used that as a fuzzing target. Each crash was additionally verified against a release build.
- Internet Explorer 11 was fuzzed on Google Compute Engine running Windows Server 2012 R2 64-bit. Given the lack of ASAN build, page heap was applied to iexplore.exe process to make it easier to catch some types of issues.
- Microsoft Edge was the only browser we couldn’t easily fuzz on Google infrastructure since Google Compute Engine doesn’t support Windows 10 at this time and Windows Server 2016 does not include Microsoft Edge. That’s why for fuzzing it we created a virtual cluster of Windows 10 VMs on Microsoft Azure. Same as with Internet Explorer, page heap was applied to MicrosoftEdgeCP.exe process before fuzzing.
- Instead of fuzzing Safari directly, which would require Apple hardware, we instead used WebKitGTK+ which we could run on internal (Linux-based) infrastructure. We created an ASAN build of the release version of WebKitGTK+. Additionally, each crash was verified against a nightly ASAN WebKit build running on a Mac.//利用WebKitGTK+而不需Apple硬件
Results
Vendor
|
Browser
|
Engine
|
Number of Bugs
|
Project Zero Bug IDs
|
Google
|
Chrome
|
Blink
|
2
|
994, 1024
|
Mozilla
|
Firefox
|
Gecko
|
4**
|
1130, 1155, 1160, 1185
|
Microsoft
|
Internet Explorer
|
Trident
|
4
|
1011, 1076, 1118, 1233
|
Microsoft
|
Edge
|
EdgeHtml
|
6
|
1011, 1254, 1255, 1264, 1301, 1309
|
Apple
|
Safari
|
WebKit
|
17
|
999, 1038, 1044, 1080, 1082, 1087, 1090, 1097, 1105, 1114, 1241, 1242, 1243, 1244, 1246, 1249, 1250
|
Total
|
31*
|
Experimenting with coverage-guided DOM fuzzing
- The fuzzer generates a new set of samples by mutating existing samples in the corpus.//变异
- The fuzzer spawns IE process which opens a harness HTML page.
- The harness HTML page instructs the fuzzer to start measuring coverage and loads one of the samples in an iframe//执行
- After the sample executes, it notifies the harness which notifies the fuzzer to stop collecting coverage.//计算代码覆盖率
- Coverage map is examined and if it contains unseen coverage, the corresponding sample is added to the corpus.
- Go to step 3 until all samples are executed or the IE process crashes
- Periodically minimize the corpus using the AFL’s cmin algorithm.//自动精简
- Go to step 1.
- Adding new CSS rules
- Adding new properties to the existing CSS rules
- Adding new HTML elements
- Adding new properties to the existing HTML elements
- Adding new JavaScript lines. The new lines would be aware of the existing JavaScript variables and could thus reuse them.
Conclusion
转:The Great DOM Fuzz-off of 2017的更多相关文章
- JQuery基本知识、选择器、事件、DOM操作、动画--2017年2月10日
$(对象)可以将JS对象转换为JQuery对象 .get(0)可以将JQuery对象转换为JS对象 并无太大区别,灵活点出即可
- 像VUE一样写微信小程序-深入研究wepy框架
像VUE一样写微信小程序-深入研究wepy框架 微信小程序自发布到如今已经有半年多的时间了,凭借微信平台的强大影响力,越来越多企业加入小程序开发. 小程序于M页比相比,有以下优势: 1.小程序拥有更多 ...
- JS DOM(2017.12.28)
一.获得元素节点的方法 document.getElementById() 根据Id获取元素节点 document.getElementsByName() 根据name获取元素节点 遍 ...
- 2017 年值得一瞥的 JavaScript 相关技术趋势
跨年前两天,Dan Abramov在Twitter上提了一个问题: JS社区毫不犹豫的抛出了它们对于新技术的预期与期待,本文内容也是总结自Twitter的回复,按照流行度降序排列.有一个尚未确定的小点 ...
- DOM的相关优化
为什么要进行DOM优化? DOM对象本身也是一个js对象,所以严格来说,并不是操作这个对象慢,而是说操作了这个对象后,会触发一些浏览器行为,比如布局(layout)和绘制(paint). 首先先说一些 ...
- python运维开发(十六)----Dom&&jQuery
内容目录: Dom 查找 操作 事件 jQuery 查找 筛选 操作 事件 扩展 Dom 文档对象模型(Document Object Model,DOM)是一种用于HTML和XML文档的编程接口.它 ...
- 【2017年新篇章】 .NET 面试题汇总(二)
本次给大家介绍的是我收集以及自己个人保存一些.NET面试题第二篇 第一篇文章请到这里:[2017年新篇章] .NET 面试题汇总(一) 简介 此次包含的不止是.NET知识,也包含少许前端知识以及.ne ...
- X-NUCA 2017 web专题赛训练题 阳光总在风雨后和default wp
0X0.前言 X-NUCA 2017来了,想起2016 web专题赛,题目都打不开,希望这次主办方能够搞好点吧!还没开赛,依照惯例会有赛前指导,放一些训练题让CTFer们好感受一下题目. 题目有一大 ...
- HTML DOM (文档对象模型)
当网页被加载时,浏览器会创建页面的文档对象模型(Document Object Model). HTML DOM 模型被构造为对象的树. HTML DOM 树 通过可编程的对象模型,JavaScrip ...
随机推荐
- Lucene 索引与检索架构图
- c# 计算星座
public string xz(DateTime birthday) { float birthdayF = 0.00F; if (birthday.Month == 1 && bi ...
- 2017.5.27 NOIP模拟赛(hzwer2014-5-16 NOIP模拟赛)
期望得分:100+100+60+30=290 实际得分:100+20+60+0=180 当务之急:提高一次正确率 Problem 1 双色球(ball.cpp/c/pas) [题目描述] 机房来了新一 ...
- How to Evaluate Machine Learning Models, Part 4: Hyperparameter Tuning
How to Evaluate Machine Learning Models, Part 4: Hyperparameter Tuning In the realm of machine learn ...
- asp.net 遍历文件夹下全部子文件夹并绑定到gridview上
遍历文件夹下所有子文件夹,并且遍历配置文件某一节点中所有key,value并且绑定到GridView上 Helper app_Helper = new Helper(); DataSet ds = n ...
- 【BZOJ】4872: [Shoi2017]分手是祝愿 期望DP
[题意]给定n盏灯的01状态,操作第 i 盏灯会将所有编号为 i 的约数的灯取反.每次随机操作一盏灯直至当前状态能够在k步内全灭为止(然后直接灭),求期望步数.n,k<=10^5. [算法]期望 ...
- 【CodeForces】915 F. Imbalance Value of a Tree 并查集
[题目]F. Imbalance Value of a Tree [题意]给定n个点的带点权树,求所有路径极差的和.n,ai<=10^6 [算法]并查集 [题解]先计算最大值的和,按点权从小到大 ...
- String类的一些常用操作方法
package com.liveyc.framework.util; import java.io.UnsupportedEncodingException; import java.net.URLD ...
- POJ - 1330 Nearest Common Ancestors 最近公共祖先+链式前向星 模板题
A rooted tree is a well-known data structure in computer science and engineering. An example is show ...
- python初步学习-python模块之 logging
logging 许多应用程序中都会有日志模块,用于记录系统在运行过程中的一些关键信息,以便于对系统的运行状况进行跟踪.在python中,我们不需要第三方的日志组件,python为我们提供了简单易用.且 ...