Ghosts of Christmas Past: Fuzzing Language Interpreters using Regression Tests

No ratings

Presented at Infiltrate 2014 by

Sean Heelan

In this talk I will discuss an approach to fuzzing language interpreters that has found a large number of bugs over the past few months, across a number of different targets (Javascript, PHP & Ruby interpreters). Taking inspiration from previous work [1], this approach makes use of existing regression tests to provide information on language syntax, semantics, and API usage. From there, it employs a variety of different mutation and generation strategies to produce new inputs that are, ideally, syntactically valid, semantically complex, and, even more ideally, break the interpreter in new and interesting ways. During the talk I will cover three primary extensions over earlier research: * The combination of standard reference crawling fuzzing [2] with regression test based fuzzing * A comparison of multiple approaches to input generation using regression tests - from the direct application of tools like Radamsa [3], to mutation and combination using language grammars, to the use of on-the-fly reflection to crawl for reference counting issues. * The extension of the attack surface covered in [1], which focused on the Firefox & Chrome Javascript command-line shells, and the PHP interpreter. I will discuss extending this to any Javascript aware browser, as well as our results from testing both PHP and Ruby. In the interest of self-flagellation, I will also discuss a few tragic failures of both intellect and implementation that occurred along the way.