Browser fuzzing by scheduled mutation and generation of document object models

Ying Dar Lin, Feng Ze Liao, Shih Kun Huang, Yuan Cheng Lai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Internet applications have made our daily life fruitful. However, they also cause many security problems if these applications are leveraged by intruders. Thus, it is important to find and fix vulnerabilities timely to prevent application vulnerabilities from being exploited. Fuzz testing is a popular methodology that effectively finds vulnerabilities in application programs with seed input mutation. However, it is not a satisfied solution for the web browsers. In this work, we propose a solution, called scheduled DOM fuzzing (SDF), which integrates several related browser fuzzing tools and the fuzzing framework called BFF. To explore more crash possibilities, we revise the browser fuzzing architecture and schedule seed input selection and mutation dynamically. We also propose two probability computing methods in scheduling mechanism which tries to improve the performance by determining which combinations of seed and mutation would produce more crashes. Our experiments show that SDF is 2.27 time more efficient in terms of the number of crashes and vulnerabilities found at most. SDF also has the capacity for finding 23 exploitable crashes in Windows 7 within five days. The experimental results reveals that a good scheduling method for seed and mutations in browser fuzzing is able to find more exploitable crashes than fuzzers with the fixed seed input.

Original languageEnglish
Title of host publicationICCST 2015 - The 49th Annual IEEE International Carnahan Conference on Security Technology
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781479986910
DOIs
StatePublished - 21 Jan 2016
Event49th Annual IEEE International Carnahan Conference on Security Technology, ICCST 2015 - Taipei, Taiwan
Duration: 21 Sep 201524 Sep 2015

Publication series

NameProceedings - International Carnahan Conference on Security Technology
Volume2015-January
ISSN (Print)1071-6572

Conference

Conference49th Annual IEEE International Carnahan Conference on Security Technology, ICCST 2015
CountryTaiwan
CityTaipei
Period21/09/1524/09/15

Keywords

  • black-box fuzzing
  • browser fuzzing
  • document object model
  • DOM
  • exploits
  • mutation
  • scheduling
  • vulnerabilities

Fingerprint Dive into the research topics of 'Browser fuzzing by scheduled mutation and generation of document object models'. Together they form a unique fingerprint.

  • Cite this

    Lin, Y. D., Liao, F. Z., Huang, S. K., & Lai, Y. C. (2016). Browser fuzzing by scheduled mutation and generation of document object models. In ICCST 2015 - The 49th Annual IEEE International Carnahan Conference on Security Technology [7389677] (Proceedings - International Carnahan Conference on Security Technology; Vol. 2015-January). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CCST.2015.7389677