I also added grammar-based mutation support to Jackalope (my black-box binary fuzzer).

For example, Domato, my grammar-based generational fuzzer, found over vulnerabilities in WebKit and numerous bugs in Jscript.

While generation-based fuzzing is still a good way to fuzz many targets, it was demonstrated that, for finding vulnerabilities in modern JavaScript engines, especially engines with JIT compilers, better results can be achieved with mutational, coverage-guided approaches.

Samuel is also the author of Fuzzilli, an open-source JavaScript engine fuzzer based on a custom intermediate language. Fuzzilli has found a large number of bugs in various JavaScript engines. While there has been a lot of development in coverage-guided fuzzers over the last few years, most of the public tooling focuses on open-source targets or software running on the Linux operating system. Meanwhile, I focused on developing tooling for fuzzing of closed-source binaries on operating systems where such software is prevalent (currently Windows and macOS).

Some years ago, I published WinAFL, the first performant AFL-based fuzzer for Windows. About a year and a half ago, however, I started working on a brand new toolset for black-box coverage-guided fuzzing. TinyInst and Jackalope are the two outcomes of this effort.

Of such engines, I know two: jscript and jscript9 (implemented in jscript. Of these two, jscript9 is probably more interesting in the context of mutational coverage-guided fuzzing since it includes a JIT compiler and more engine features. In 2020 there were two Internet Explorer 0days exploited in the wild and three in 2021 so far.

One of these vulnerabilities was in the JIT compiler of jscript9. Additionally, the techniques described here could be applied to any closed-source or even open-source software, not just Internet Explorer. In particular, mutational fuzzing described two sections down can be applied to targets other than JavaScript engines by simply changing the input grammar.

Fuzzilli, as said above, is a state-of-the-art JavaScript engine fuzzer and TinyInst is a dynamic instrumentation library. Although TinyInst is general-purpose and could be used in other applications, it comes with various features useful for fuzzing, such as out-of-the-box support for persistent fuzzing, various types of coverage instrumentations etc.

TinyInst is meant to be simple to integrate with other software, in particular fuzzers, and has already been integrated with fuzzers.

However, there were still various challenges to overcome for different reasons: Challenge 1: Getting Fuzzilli to build on Windows where our targets are. Fuzzilli was written in Swift and the support for Swift on Windows is currently not great. Fortunately, CMake and Ninja support Swift, so the solution to this problem is to switch to the CMake build system.



