Minerva: browser API fuzzing with dynamic mod-ref analysis
Chijin Zhou, Quan Zhang, Mingzhe Wang, Lihua Guo, Jie Liang, Zhe Liu, Mathias Payer, Yu Jiang
2022Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering18 citationsDOIOpen Access PDF
Abstract
Browser APIs are essential to the modern web experience. Due to their large number and complexity, they vastly expand the attack surface of browsers. To detect vulnerabilities in these APIs, fuzzers generate test cases with a large amount of random API invocations. However, the massive search space formed by arbitrary API combinations hinders their effectiveness: since randomly-picked API invocations unlikely interfere with each other (i.e., compute on partially shared data), few interesting API interactions are explored. Consequently, reducing the search space by revealing inter-API relations is a major challenge in browser fuzzing.
Topics & Concepts
Fuzz testingComputer scienceWeb browserProgramming languageWorld Wide WebThe InternetSoftwareAdvanced Malware Detection TechniquesSoftware Testing and Debugging TechniquesWeb Application Security Vulnerabilities