Metamong: Detecting Render-update Bugs in Web Browsers through Fuzzing
A render-update bug arises when a web browser produces an erroneous rendering output due to incorrect rendering updates. Such render-update bugs seriously harm the usability and reliability of web browsers. However, we find that detecting render-update bugs is challenging because the render-update bug is a semantic bug - given a rendering result, it is difficult to determine if it is correct due to the complex rendering specification of DOM and CSS. Thus, unlike memory corruption bugs, the incorrect rendering output does not raise the violation or crash. In practice, render-update bug detection relies on the time-prohibitive manual analysis of domain experts to determine the bug.
This paper proposes Metamong, an automated framework to detect render-update bugs without false positive issues via differential fuzz testing. Metamong features two key components: (i) page mutator, and (ii) render-update oracle. The page mutator generates render-update operations, which change the content of the web page, to trigger a render-update bug. The render-update oracle exploits an HTML standard rule, so-called yielding, to produce the correct rendering result of a given web page. Combining these components, Metamong creates two HTML files where each constructs the same web page, but only one of them induces the render-update. It then uses differential testing to compare their rendering outputs to determine a bug. We implemented a prototype of Metamong, which performs differential fuzz testing on popular browsers, Chrome and Firefox. By far, Metamong identified 19 new render-update bugs, 17 in Chrome and two in Firefox. All of those have been confirmed by each browser vendor and five are already fixed, demonstrating the practical effectiveness of Metamong in identifying render-update bugs.
Wed 6 DecDisplayed time zone: Pacific Time (US & Canada) change
16:00 - 18:00 | FuzzingResearch Papers at Golden Gate C1 Chair(s): Shaukat Ali Simula Research Laboratory and Oslo Metropolitan University | ||
16:00 15mTalk | Enhancing Coverage-guided Fuzzing via Phantom Program Research Papers Mingyuan Wu Southern University of Science and Technology and the University of Hong Kong, Kunqiu Chen Southern University of Science and Technology, Qi Luo Southern University of Science and Technology, Jiahong Xiang Southern University of Science and Technology, Ji Qi The University of Hong Kong, Junjie Chen Tianjin University, Heming Cui University of Hong Kong, Yuqun Zhang Southern University of Science and Technology Media Attached | ||
16:15 15mTalk | Co-Dependence Aware Fuzzing for Dataflow-based Big Data Analytics Research Papers Ahmad Humayun Virginia Tech, Miryung Kim University of California at Los Angeles, USA, Muhammad Ali Gulzar Virginia Tech Pre-print Media Attached | ||
16:30 15mTalk | SJFuzz: Seed & Mutator Scheduling for JVM Fuzzing Research Papers Mingyuan Wu Southern University of Science and Technology and the University of Hong Kong, Yicheng Ouyang University of Illinois at Urbana-Champaign, Minghai Lu Southern University of Science and Technology, Junjie Chen Tianjin University, Yingquan Zhao Tianjin University, Heming Cui University of Hong Kong, Guowei Yang University of Queensland, Yuqun Zhang Southern University of Science and Technology Media Attached | ||
16:45 15mTalk | Metamong: Detecting Render-update Bugs in Web Browsers through Fuzzing Research Papers Suhwan Song Seoul National University, South Korea, Byoungyoung Lee Seoul National University, South Korea Media Attached | ||
17:00 15mTalk | Property-based Fuzzing for Finding Data Manipulation Errors in Android Apps Research Papers Jingling Sun East China Normal University, Ting Su East China Normal University, Jiayi Jiang East China Normal University, Jue Wang Nanjing University, Geguang Pu East China Normal University, Zhendong Su ETH Zurich Media Attached | ||
17:15 15mTalk | Leveraging Hardware Probes and Optimizations for Accelerating Fuzz Testing of Heterogeneous Applications Research Papers Jiyuan Wang University of California at Los Angeles, Qian Zhang University of California, Riverside, Hongbo Rong Intel Labs, Guoqing Harry Xu University of California at Los Angeles, Miryung Kim University of California at Los Angeles, USA Pre-print Media Attached | ||
17:30 15mTalk | NaNofuzz: A Usable Tool for Automatic Test Generation Research Papers Matthew C. Davis Carnegie Mellon University, Sangheon Choi Rose-Hulman Institute of Technology, Sam Estep Carnegie Mellon University, Brad A. Myers Carnegie Mellon University, Joshua Sunshine Carnegie Mellon University Link to publication DOI Media Attached | ||
17:45 15mTalk | [Remote] A Generative and Mutational Approach for Synthesizing Bug-exposing Test Cases to Guide Compiler Fuzzing Research Papers Guixin Ye Northwest University, Tianmin Hu Northwest University, Zhanyong Tang Northwest University, Zhenye Fan Northwest University, Shin Hwei Tan Concordia University, Bo Zhang Tencent Security Platform Department, Wenxiang Qian Tencent Security Platform Department, Zheng Wang University of Leeds, UK Media Attached | ||