Fuzzing has started to gain more recognition over the past years. The basic concept behind it is passing random, or otherwise procedurally generated data as input to the tested software. Multiple fuzzers emerged, including American Fuzzy Lop and syzkaller, which have an impressive number of bugs discovered. They employ more and more sophisticated techniques to test software in increasingly efficient ways. However, their applicability in fuzzing targets requiring highly structured yet arbitrarily nuanced input data, such as interpreters, is questionable.
At the same time, an interpreter's input is often untrusted. This, coupled with their widespread usage in web browsers, server-side applications and mobile or low-power IoT devices, makes them a high priority target for security research, especially considering their large codebases and high complexity.
In this research, we evaluate state of the art approaches to finding vulnerabilities in modern interpreters and introduce the concept of synthesizing code given arbitrary input data. For this purpose, we assume that the input is a certain serialization of an abstract syntax tree of a program code, which we deserialize and emit in a form expected by the interpreter and pass it for execution. We will discuss our implementation of this idea in a project which we called Fluff, and describe its integration with AFL - an open-source fuzzer.
Although the design behind Fluff is generic and can be applied to any programming language, our research was focused on testing JavaScript interpreters. We will discuss issues discovered by Fluff - to date, it has been able to identify over 25 issues (of which 5 could result in execution of arbitrary code, and 17 cause DoS) across 5 different execution engines. Finally, we will discuss limitations and possible extensions of this approach. We will also present ideas for further research in this field.