Friday, August 10th, 2007

Getting Fuzzy with jsfunfuzz

Category: JavaScript, Utility

Jesse Ruderman has released jsfunfuzz, a fuzz tester that hunts for edge cases that can break things.

It tests the JavaScript language engine itself, not the DOM. (That means that it works with language features such as functions, objects, operators, garbage collection rather than DOM objects accessed through “window” or “document”.)

It has found about 280 bugs in Firefox’s JavaScript engine, over two-thirds of which have already been fixed (go Brendan!). About two dozen were memory safety bugs that we believe were likely to be exploitable to run arbitrary code.

John Resig added:

jsfunfuzz has explicit knowledge of how JS is parsed and interpreted, so it’s able to make educated guesses at how to write code that will break a browser. Because of this, over 280 bugs have been found in Mozilla thus far, with about 2 dozen of them being exploitable.

This aspect of the utility has been making some significant news lately, when it was announced at the Blackhat conference. Tons of examples of the result of this work can be found in the jsfunfuzz ticket.

Here’s one statement, for example, that jsfunfuzz generated that was able to produce a security exploit in Mozilla:

js> this.x setter= new Function;'x',
  function(){}); gc(); x = {};
before 9232, after 9232, break 01205000
Bus error

Posted by Dion Almaer at 1:51 am

3.1 rating from 27 votes


Comments feed TrackBack URI

Seems Opera is already using it to iron out bugs in their browser. It wouldn’t suprise me if the WebKit / KHTML teams gives it a spin or two, and correct some of their bugs as well.

Anyone willing to bet on how long it’ll take MS to release a new IE, without bugs found by jsfunfuzz?

Comment by Morgan Roderick — August 10, 2007

Microsoft will reimplement jsfunfuzz on the .NET 7 platform, to be released in 2011. Only then will they begin to test IE7 using it.

Comment by Andy — August 10, 2007

I’ve had it up running on Konqueror (it required some changes) and have made my patched version available to the the KHTML folk, so I’d imagine so. KJS is reasonably unbuggy from what I’ve seen, only 4 distinct crashes from it.

Comment by Tim — August 15, 2007

Leave a comment

You must be logged in to post a comment.