Пожалуйста, обратите внимание, что пользователь заблокирован
Description
The fuzzing of Wasm is not a new concept. Since Wasm is a binary format, it's relatively easy to employ a modern binary fuzzer like AFL++ to create modules and subsequently invoke them. However, this approach has limitations. Wasm modules can be utilized in more intricate contexts within web applications, typically collaborating with JavaScript code to accomplish more complex tasks. Linking and combining modules is possible, but it often requires the developer or fuzzer to possess in-depth knowledge of the modules involved.To address this challenge, we extended Fuzzilli's intermediate language to include instructions that describe Wasm modules. This allows us to comprehensively track and infer the module and its associated data. By doing so, we open up new possibilities for fuzzing. It becomes feasible to combine JavaScript and Wasm code within a single fuzz test case, enabling cross-language type tracking and inference. These test cases exhibit more intricate behavior and, when combined with Fuzzilli's templating capabilities, facilitate the generation of complex and compelling test cases. We will look at some advanced browser fuzzing and some of the exciting test cases and bugs this has found in V8.Speaker
