This document discusses fuzzing techniques for DOM and WebGL. It proposes an emulation-based approach to generate test cases that take into account runtime context like element states and relationships. Examples are given for fuzzing SVG and WebGL. Case studies of past DOM bugs involving use-after-free and out-of-bounds writes are also presented. The document concludes by thanking contributors to the field of DOM fuzzing.

1. Comprehensive
Browser Fuzzing
From DOM to JS
ZeroCon 2019.04

2. DOM Fuzzing1
6

3. DOM engine
7
The old-school target
o Less popular
§ Exploit mitigations (e.g., isolated heaps)
§ Heavily tested
o Still a not-so-bad direction
§ Some DOM(-related) objects are not protected
§ Pwn2own 2018 Safari (mwrlabs)
§ DOM misuses JavaScript objects
§ Pwn2own 2018 Edge (fluorescence)

4. Domato – Google Project Zero [2017]
8
A generation-based approach
Fuzzer
Static grammar HTML
Browser
https://github.com/googleprojectzero/domato

5. Reproducibility
Generated HTML files can always be re-tested.
Quality?
Efficiency
Asynchronized testcase generation and testing.
9
# Valid API calls (no exception)
# Total API calls

6. “
Most of the DOM API calls operate
undefined in an output of Domato.
10

7. DOM fuzz revisited
11
XML
CSS
JavaScript
how to
manipulate
what to
manipulate
State
(DOM objects)
Runtime
(operations)
Static grammar based fuzzers fail to
describe this inter-dependence

8. Example 1
12
var v0 = gl.createBuffer();
gl.deleteBuffer(v0);
gl.bindBuffer(gl.ARRAY_BUFFER, v0);

9. Example 2
13
var v0 = gl.createBuffer();
gl.bufferData(gl.ARRAY_BUFFER,
0x400, gl.STATIC_DRAW);
gl.bindBuffer(gl.ARRAY_BUFFER, v0);

10. Emulation-based generation
14
XML
CSS
JavaScript
how to
manipulate
what to
manipulate
State
(DOM objects)
Runtime
(operations)

11. Maintain the context while generation
o What the states of the DOM objects
should be at runtime?
Emulation-based generation
15
WebGL
buffer
bound?
stale?

12. Generate DOM API calls based on
not only grammar but also context
Emulation-based generation
16
WebGL
buffer
bound? stale?
Do not usegl.bufferData(
gl.ARRAY_BUFFER,
0x400,
gl.STATIC_DRAW);

13. Update the context after each generation
o What is the (potential) side effect of the
API (if it succeeds at runtime)?
Emulation-based generation
17
WebGL
buffer
(v0)
isBound
isStalegl.deleteBuffer(v0);
gl.bindBuffer(
gl.ARRAY_BUFFER, v0);

14. Emulation-based generation
18
XML
context0
DOM API0
CSS
Statically loaded
context1
context2
DOM API1
…
Runtime executed
…
emulate & update
generate

15. Case 1: SVG
19

16. o XML-based markup languages for
describing graphic objects
o Runtime APIs to operate the objects
SVG: Scalable Vector Graphics
20

17. SVG fuzzing template
21
CSS (domato)
API calls
XML

18. Generate a (mostly) valid SVG XML
o No parsing error when being loaded
Building random XMLs
element ID valueattribute reference
callback
tag
22
CSS style

19. Recursive generation based on specification
Building random XMLs
23
<tag1 attr1=value1 attr2=value2>
<tag2 attr1=value1 attr2=value2>
</tag2>
</tag1>
Randomly selected
son tags Random
attribute values
Randomly selected attributes

20. Heuristics
o Different tags/attributes have different
weights to be randomly selected
o Appear more often in the past bugs
o Suspected to be more vulnerable
through documentation study/source
review
o e.g., <animate>
Building random XMLs
24

21. Specification + context based generation
The context information to be maintained:
o SVG element status
o live?
o in XML (rendered)?
o Element tree
o Parent element
o Children elements
The firstly generated XML determines
the starting context
Building random API calls
25

22. For a live SVG element,
o Invoke a method
Building random API calls
26
fuzzer
output

23. For a live SVG element,
o Access or update a property
Building random API calls
27
fuzzer
output
o New elements may be created

24. Manipulate element hierarchy
Building random API calls
28
fuzzer
output

25. Heuristics
o Similarly, bias on suspicious APIs
o e.g., time/animation-control APIs
o (un)pauseAnimations
o setCurrentTime
o setTimeout
Building random API calls
29

26. Case 2: WebGL
30

27. WebGL
31
A DOM API based on OpenGL ES 2.0
o Create 3D graphics in a web browser with:
(1) OpenGL shading language GLSL
§ C-alike programs
(2) Standard OpenGL APIs described in
JavaScript
o Browser support
o WebGL 2.0: Chrome, Firefox
o WebGL: Safari, Edge

28. WebGL attack surface
32
Underlying OpenGL library bugs
o Touchable through DOM APIs
o One stone several birds
o Pwn2own 2016 Chrome exploit by lokihardt
https://www.zerodayinitiative.com/advisories/ZDI-16-224/
Chrome Firefox
libANGLE
Renderer

29. WebGL attack surface
33
Graphics proxy (OpenGL API bindings) bugs,
depending on browser implementation
o Library API misuses
o Pwn2own 2015 Chrome exploit by lokihardt
https://bugs.chromium.org/p/chromium/issues/detail?id=468936
Graphics OpenGL
Renderer

30. Chrome is special
34
Broker
GPU
Broker
sandbox
weaker sandbox
A isolated GPU process completes WebGL tasks
o Less restrictions on accesses to the kernel
win32k.sys
EoP

31. WebGL fuzzing template
35
vertex shader
fragment shader
API calls

32. Shaders
36
Vertex shader
o Describes the composition of a shape (i.e.,
the positions of the vertices)

33. Shaders
37
Fragment shader
o Describes the color, texture and lighting of a
shape

34. Shaders
38
C-alike programs
o Limited number of variables
o Strong typing
o Limited types
o if/for/while statements
o break/continue
o Vector/Matrix indexing
o Static length
o Bound checks
o Vector/Matrix arithmetic operations
fuzzer

35. Shaders
39
Variable qualifiers for particular usages
o Attributes
o Uniforms
o Textures
o Varyings
Internal variables (e.g., gl_Position)
Check specification for more details
o WebGL Programming Guide

36. An example
40
vertex shader
DOM API calls interact with shader programs
script

37. Building random shaders
41
o Assignment patterns only
§ (qualifier) <type specifier> <identifier>
(= expression)
§ <LVal> (= expression)
o Type-based assignment generation
§ Randomly generate LHS with type t
§ Generate RHS expression given type t
o Bias on selecting internal variables

38. Example: building an int expression
42
fuzzer

39. Building random API calls
43
Context for generating API calls includes:
o Qualified variables in the shaders
§ uniforms/attributes/varyings
o WebGL object status (live?)
§ WebGL(Buffer/Framebuffer/Renderbuffer)
§ isBound?
§ WebGLQuery
§ WebGLSampler
§ WebGLVertexArrayObject
etc.
We omit generation details here

40. DOM bug studies
44

41. SVGElement use-after-free
CVE-2019-6212
45
free
use
PoC

42. CVE-2019-6212
46
SVGViewSpec implements SVGFitToViewBox
SVGViewSpec elements fail to reflect the state of an
underlying SVGElement
o m_contextElement is freed while SVGViewSpec is still active
Patch1

43. CVE-2019-6212
47
Patch2
o Marking in GC now recognizes the relevant
SVGElement as long as the SVGViewSpec is active

44. 48
WebKit Bug 195068

45. WebKit Bug 195068
49
[*]: byteLength is a 64bit uint

46. WebKit Bug 195068
50
o Invalid truncation to 32bit unit
o Allocation size is much smaller than the
stored size value

47. WebKit Bug 195068
51
[*]
[*]: m_byteLength = 0xf00000000 >> 0x41414141
o Write arbitrary values at arbitrary offsets à RCE
o Triggerable on Linux only
§ The OpenGL library on mac does not support a
WebGL buffer of more than 4G

48. Acknowledgement
83
Insu Yun
Taesoo Kim
Ivan Fratric (Domato)
MWR Labs

49. Thanks!
84