[addtool] Fuzzilli

[gwen001]

[tags]fuzzing,javascript[/tags] [short_descr]A JavaScript Engine Fuzzer.[/short_descr] [link] https://github.com/googleprojectzero/fuzzilli [/link] [long_descr] A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript.

When fuzzing for core interpreter bugs, e.g. in JIT compilers, semantic correctness of generated programs becomes a concern. This is in contrast to most other scenarios, e.g. fuzzing of runtime APIs, in which case semantic correctness can easily be worked around by wrapping the generated code in try-catch constructs. There are different possibilities to achieve an acceptable rate of semantically correct samples, one of them being a mutational approach in which all samples in the corpus are also semantically valid. In that case, each mutation only has a small chance of turning a valid sample into an invalid one.

FuzzIL has a number of properties:

• A FuzzIL program is simply a list of instructions.
• A FuzzIL instruction is an operation together with input and output variables and potentially one or more parameters (enclosed in single quotes in the notation above).
• Inputs to instructions are always variables, there are no immediate values.
• Every output of an instruction is a new variable, and existing variables can only be reassigned through dedicated operations such as the Reassign instruction.
• Every variable is defined before it is used. [/long_descr] [image] https://raw.githubusercontent.com/gwen001/offsectools_www/main/tmp/24ddd476e56c6a7bed537761c0b2f76e.png [/image]

[gwen001]

Issue correctly handled, tool is waiting for human validation.

[gwen001]

Tool has been accepted by the team: https://offsec.tools/tool/fuzzilli

Thank you for your contribution!