GLeeFuzz: fuzzing WebGL through error message guided mutation
AUTHORs: 
Hui Peng, Zhihao Yao, Ardalan Amiri Sani, 
Dave (Jing) Tian, 
Mathias PayerAuthors Info & Claims
Article No.: 106, Pages 1883 - 1899
Abstract
WebGL is a set of standardized JavaScript APIs for GPU accelerated graphics. Security of the WebGL interface is paramount because it exposes remote and unsandboxed access to the underlying graphics stack (including the native GL libraries and GPU drivers) in the host OS. Unfortunately, applying state-of-the-art fuzzing techniques to the WebGL interface for vulnerability discovery is challenging because of (1) its huge input state space, and (2) the infeasibility of collecting code coverage across concurrent processes, closed-source libraries, and device drivers in the kernel.
Our fuzzing technique, GLeeFuzz, guides input mutation by error messages instead of code coverage. Our key observation is that browsers emit meaningful error messages to aid developers in debugging their WebGL programs. Error messages indicate which part of the input fails (e.g., incomplete arguments, invalid arguments, or unsatisfied dependencies between API calls). Leveraging error messages as feedback, the fuzzer effectively expands coverage by focusing mutation on erroneous parts of the input. We analyze Chrome's WebGL implementation to identify the dependencies between error-emitting statements and rejected parts of the input, and use this information to guide input mutation. We evaluate our GLeeFuzz prototype on Chrome, Firefox, and Safari on diverse desktop and mobile OSes. We discovered 7 vulnerabilities, 4 in Chrome, 2 in Safari, and 1 in Firefox. The Chrome vulnerabilities allow a remote attacker to freeze the GPU and possibly execute remote code at the browser privilege.
References
[1]
Chromium Sandbox. https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/design/sandbox.md.
[2]
Drive-by download. https://en.wikipedia.org/wiki/Drive-by_download.
[3]
Post-Spectre Threat Model Re-Think. https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md.
[4]
Yousra Aafer, Wei You, Yi Sun, Yu Shi, Xiangyu Zhang, and Heng Yin. Android smarttvs vulnerability discovery via log-guided fuzzing. In 30th USENIX Security Symposium (USENIX Security 21), 2021.
[5]
Adam Barth, Collin Jackson, Charles Reis, TGC Team, et al. The security architecture of the chromium browser. In Technical report. Stanford University, 2008.
[6]
Microsoft Security Response Center. Webgl considered harmful. https://msrc-blog.microsoft.com/2011/06/16/webgl-considered-harmful/, 2021.
[7]
Chromium. Chromium OS - the chromium projects. https://www.khronos.org/opengles/, 2021.
[8]
Android Developers. Webview | android developers. https://developer.android.com/reference/android/webkit/WebView, 2021.
[9]
Sung Ta Dinh, Haehyun Cho, Kyle Martin, Adam Oest, Kyle Zeng, Alexandros Kapravelos, Gail-Joon Ahn, Tiffany Bao, Ruoyu Wang, Adam Doupé, et al. Favocado: Fuzzing the binding code of javascript engines using semantically correct test cases.
[10]
Apple Developer Documentation. Wkwebview | apple developer documentation. https://developer.apple.com/documentation/webkit/wkwebview, 2021.
[11]
Alastair F Donaldson, Hugues Evrard, Andrei Lascu, and Paul Thomson. Automated testing of graphics shader compilers. Proceedings of the ACM on Programming Languages, 1(OOPSLA):1-29, 2017.
[12]
Electron. Electron | build cross-platform desktop apps with javascript, html, and css. https://www.electronjs.org/, 2021.
[13]
Jesse Hertz etc. Project triforce: Afl + qemu + kernel = cves! (or) how to use afl to fuzz arbitrary vms. https://raw.githubusercontent.com/nccgroup/TriforceAFL/master/slides/ToorCon16_TriforceAFL.pdf, 2018.
[14]
Sergiu Gatlan. Google chrome 85 fixes webgl code execution vulnerability. https://www.bleepingcomputer.com/news/security/google-chrome-85-fixes-webgl-code-execution-vulnerability/, 2020.
[15]
Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. Out of control: Overcoming control-flow integrity. In 2014 IEEE Symposium on Security and Privacy, pages 575-589. IEEE, 2014.
[16]
Google. Chromium issue 145544. https://bugs.chromium.org/p/chromium/issues/detail?id=145544, 2012.
[17]
Google. Chromium issue 765469. https://bugs.chromium.org/p/chromium/issues/detail?id=765469, 2017.
[18]
Google. Chromium issue 774174. https://bugs.chromium.org/p/chromium/issues/detail?id=774174, 2017.
[19]
Google. Chromium issue 784183. https://bugs.chromium.org/p/chromium/issues/detail?id=784183, 2017.
[20]
Google. Chromium issue 848914. https://bugs.chromium.org/p/chromium/issues/detail?id=848914, 2018.
[21]
Google. Access modern gpu features with webgpu. https://web.dev/gpu, 2021.
[22]
Google. Chromium blog: Chrome 94 beta: Webcodecs, webgpu, scheduling, and more. https://blog.chromium.org/2021/08/chrome-94-beta-webcodecs-webgpu.html, 2021.
[23]
Google. Chromium issue 1149204. https://bugs.chromium.org/p/chromium/issues/detail?id=1149204, 2021.
[24]
Google. Chromium issue 1219886. https://bugs.chromium.org/p/chromium/issues/detail?id=1219886, 2021.
[25]
Google. How it works: metamorphic testing using glslfuzz. https://github.com/google/graphicsfuzz/blob/master/docs/glsl-fuzz-intro.md, 2021.
[26]
Google. Syzkaller - kernel fuzzer. https://github.com/google/syzkaller, 2021.
[27]
google project zero. Dom fuzzer. https://github.com/googleprojectzero/domato, 2021.
[28]
Khronos Group. Opengl es overview. https://www.khronos.org/opengles/, 2021.
[29]
Khronos Group. Webgl overview. https://www.khronos.org/webgl/, 2021.
[30]
Khronos Group. Webgl overview. https://www.khronos.org/registry/webgl/specs/latest/1.0/, 2021.
[31]
Khronos Group. Webgl overview. https://www.khronos.org/registry/webgl/specs/latest/2.0/, 2021.
[32]
The Khronos Group. Blacklists and whitelists. https://www.khronos.org/webgl/wiki/BlacklistsAndWhitelists, 2022.
[33]
HyungSeok Han and Sang Kil Cha. Imf: Inferred model-based fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2345-2358, 2017.
[34]
Renáta Hodován, Ákos Kiss, and Tibor Gyimóthy. Grammarinator: a grammar-based open source fuzzer. In Proceedings of the 9th ACM SIGSOFT international workshop on automating TEST case design, selection, and evaluation, pages 45-48, 2018.
[35]
Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer. FuzzGen: Automatic fuzzer generation. In 29th USENIX Security Symposium (USENIX Security 20), pages 2271-2287, 2020.
[36]
Dave Jones. Trinity: Linux system call fuzzer. https://github.com/kernelslacker/trinity, 2018.
[37]
Mustakimur Rahman Khandaker, Wenqing Liu, Abu Naser, Zhi Wang, and Jie Yang. Origin-sensitive control flow integrity. In 28th USENIX Security Symposium (USENIX Security 19), pages 195-211, 2019.
[38]
Kyungtae Kim, Taegyu Kim, Ertza Warraich, Byoungyoung Lee, Kevin RB Butler, Antonio Bianchi, and Dave Jing Tian. Fuzzusb: Hybrid stateful fuzzing of usb gadget stacks. pages 632-649, 2022.
[39]
Wenhao Li, Shiyu Luo, Zhichuang Sun, Yubin Xia, Long Lu, Haibo Chen, Binyu Zang, and Haibing Guan. Vbutton: Practical attestation of user-driven operations in mobile apps. In Proceedings of the 16th annual international conference on mobile systems, applications, and services, pages 28-40, 2018.
[40]
Dhiraj Mishra. Fuzzing browsers. https://github.com/RootUp/BFuzz, 2021.
[41]
MITRE. Cve-2020-15675. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15675, 2021.
[42]
MITRE. Cve-2020-6492. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6492, 2021.
[43]
Mozilla. Mozilla foundation security advisory 2020- 42. https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/, 2020.
[44]
MozillaSecurity. Javascript engine fuzzers. https://github.com/MozillaSecurity/funfuzz, 2021.
[45]
National Institute of Standards and Technology. Search results for webgl. https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=WebGL, 2022.
[46]
Shankara Pailoor, Andrew Aday, and Suman Jana. Moonshine: Optimizing OS fuzzer seed selection with trace distillation. In 27th USENIX Security Symposium (USENIX Security 18), pages 729-743, 2018.
[47]
Chang Min Park, Donghwi Kim, Deepesh Veersen Sidhwani, Andrew Fuchs, Arnob Paul, Sung-Ju Lee, Karthik Dantu, and Steven Y Ko. Rushmore: securely displaying static and animated images using trustzone. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, pages 122-135, 2021.
[48]
Hui Peng and Mathias Payer. USBFuzz: A framework for fuzzing USB drivers by device emulation. In 29th USENIX Security Symposium (USENIX Security 20), pages 2559-2575, 2020.
[49]
Appium project. Appium: Mobile app automation made awesome. http://appium.io/, 2021.
[50]
Chromium Project. Angle - almost native graphics layer engine. https://chromium.googlesource.com/angle/angle, 2021.
[51]
Selenium Project. Seleniumhq browser automation. https://www.selenium.dev/, 2021.
[52]
SVF Project. Static value-flow analysis framework for source code. https://github.com/SVF-tools/SVF, 2021.
[53]
The Cordava Project. Apache cordava. https://cordova.apache.org/, 2021.
[54]
The Chromium Projects. Control flow integrity. https://www.chromium.org/developers/testing/control-flow-integrity, 2021.
[55]
Tristan Ravitch. wllvm: A wrapper script to build whole-program llvm bitcode files. https://github.com/travitch/whole-program-llvm, 2021.
[56]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. kafl: Hardware-assisted feedback fuzzing for OS kernels. In 26th USENIX Security Symposium (USENIX Security 17), pages 167-182, 2017.
[57]
W3C. Webdriver-w3c working draft 24 august 2020. https://www.w3.org/TR/webdriver/, 2021.
[58]
Wen Xu, Soyeon Park, and Taesoo Kim. Freedom: Engineering a state-of-the-art dom fuzzer. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 971-986, 2020.
[59]
Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, and Aparna Chandramowlishwaran. Sugar: Secure gpu acceleration in web browsers. ACM SIGPLAN Notices, 53(2):519-534, 2018.
[60]
Zhihao Yao, Saeed Mirzamohammadi, Ardalan Amiri Sani, and Mathias Payer. Milkomeda: Safeguarding the mobile gpu interface using webgl security checks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1455-1469. ACM, 2018.
[61]
Kailiang Ying, Priyank Thavai, and Wenliang Du. Truz-view: Developing trustzone user interface for mobile os using delegation integration model. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, pages 1-12, 2019.
[62]
Cen Zhang, Xingwei Lin, Yuekang Li, Yinxing Xue, and Yang Liu. Apicraft: Fuzz driver generation for closed-source SDK libraries. In 30th USENIX Security Symposium (USENIX Security 21), pages 2811-2828, 2021.
Recommendations
An Analysis of URLs Generated from JavaScript Code
ICIS '12: Proceedings of the 2012 IEEE/ACIS 11th International Conference on Computer and Information ScienceSearch engines use a crawling system to recursively download web pages, analyze HTML pages, and generate a new list of URLs to crawl. As web pages are becoming more dynamic than before, JavaScript is heavily used, which poses a great challenge for the ...
Current challenges in web crawling
ICWE'13: Proceedings of the 13th international conference on Web EngineeringWeb crawling, a process of collecting web pages in an automated manner, is the primary and ubiquitous operation used by a large number of web systems and agents starting from a simple program for website backup to a major web search engine. Due to an ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 21 Nov 2024