Friday, August 10th, 2007
Getting Fuzzy with jsfunfuzz
Category: JavaScript
, Utility
Jesse Ruderman has released jsfunfuzz, a fuzz tester that hunts for edge cases that can break things.
It tests the JavaScript language engine itself, not the DOM. (That means that it works with language features such as functions, objects, operators, garbage collection rather than DOM objects accessed through “window” or “document”.)
It has found about 280 bugs in Firefox’s JavaScript engine, over two-thirds of which have already been fixed (go Brendan!). About two dozen were memory safety bugs that we believe were likely to be exploitable to run arbitrary code.
John Resig added:
jsfunfuzz has explicit knowledge of how JS is parsed and interpreted, so it’s able to make educated guesses at how to write code that will break a browser. Because of this, over 280 bugs have been found in Mozilla thus far, with about 2 dozen of them being exploitable.
This aspect of the utility has been making some significant news lately, when it was announced at the Blackhat conference. Tons of examples of the result of this work can be found in the jsfunfuzz ticket.
Here’s one statement, for example, that jsfunfuzz generated that was able to produce a security exploit in Mozilla:
js> this.x setter= new Function; this.watch('x', function(){}); gc(); x = {}; before 9232, after 9232, break 01205000 Bus error
Seems Opera is already using it to iron out bugs in their browser. It wouldn’t suprise me if the WebKit / KHTML teams gives it a spin or two, and correct some of their bugs as well.
Anyone willing to bet on how long it’ll take MS to release a new IE, without bugs found by jsfunfuzz?
Microsoft will reimplement jsfunfuzz on the .NET 7 platform, to be released in 2011. Only then will they begin to test IE7 using it.
I’ve had it up running on Konqueror (it required some changes) and have made my patched version available to the the KHTML folk, so I’d imagine so. KJS is reasonably unbuggy from what I’ve seen, only 4 distinct crashes from it.