cispa_all_3773.pdf (703.4 kB)

Jit-Picking: Differential Fuzzing of JavaScript Engines

Download (703.4 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Lukas BernhardLukas Bernhard, Tobias ScharnowskiTobias Scharnowski, Moritz SchloegelMoritz Schloegel, Tim Blazytko, Thorsten HolzThorsten Holz
Modern JavaScript engines that power websites and even full applications on the Web are driven by the need for an increasingly fast and snappy user experience. These engines use several complex and potentially error-prone mechanisms to optimize their performance. Unsurprisingly, the inevitable complexity results in a huge attack surface and various types of software vulnerabilities. On the defender’s side, fuzz testing has proven to be an invaluable tool for uncovering different kinds of memory safety violations. Although it is difficult to test interpreters and JIT compilers in an automated way, recent proposals for input generation based on grammars or target-specific intermediate representations helped uncovering many software faults. However, subtle logic bugs and miscomputations that arise from optimization passes in JIT engines continue to elude state-of-the-art testing methods. While such flaws might seem unremarkable at first glance, they are often still exploitable in practice. In this paper, we propose a novel technique for effectively uncovering this class of subtle bugs during fuzzing. The key idea is to take advantage of the tight coupling between a JavaScript engine’s interpreter and its corresponding JIT compiler as a domain-specific and generic bug oracle, which in turn yields a highly sensitive fault detection mechanism. We have designed and implemented a prototype of the proposed approach in a tool called Jit-Picker. In an empirical evaluation, we show that our method enables us to detect subtle software faults that prior work missed. In total, we uncovered 32 bugs that were not publicly known and received a $10.000 bug bounty from Mozilla as a reward for our contributions to JIT engine security.


Preferred Citation

Lukas Bernhard, Tobias Scharnowski, Moritz Schloegel, Tim Blazytko and Thorsten Holz. Jit-Picking: Differential Fuzzing of JavaScript Engines. In: ACM Conference on Computer and Communications Security (CCS). 2022.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

ACM Conference on Computer and Communications Security (CCS)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3773, title = "Jit-Picking: Differential Fuzzing of JavaScript Engines", author = "Bernhard, Lukas and Scharnowski, Tobias and Schloegel, Moritz and Blazytko, Tim and Holz, Thorsten", booktitle="{ACM Conference on Computer and Communications Security (CCS)}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager