The web browser remains one of the most exposed remote attack surfaces on end-user systems, and memory-corruption flaws continue to play a central role in real-world browser exploitation. Despite a decade of intensive browser testing and bug-disclosure efforts, the community still lacks an explicit, defense-oriented systematization of the browser's low-level attack surface. Prior SoKs have surveyed browser vulnerabilities and mitigation techniques. However, these perspectives remain fragmented, leaving open a central question: how is the low-level attack surface of modern web browsers structured, and which parts of this surface remain underexplored by existing security testing? We approach this primary question through three sub-questions. (RQ1) How is the browser's attack surface structured along input classes and components? (RQ2) Where do memory corruption vulnerabilities arise within this taxonomy? (RQ3) What do these attack-surface patterns imply for existing browser security testing? To answer RQ1, we derive an architecture-grounded Input x Component x Privilege taxonomy that abstracts the architectures of browsers into a unified view. To answer RQ2, we map 2,233 memory corruption reports disclosed between 2016 and 2025 onto this taxonomy. To answer RQ3, we overlay a decade of academic browser fuzzers, classified by the targeted input class, onto the bug-density map. Our systematization reveals that current testing concentrates on well-explored components while bug-dense, high-impact surfaces remain insufficiently tested. Moreover, we identify three fuzzer deployment gaps, which are orthogonal to the academic efforts. Our work offers a structured foundation for future browser security research.

翻译：摘要：Web浏览器仍是终端用户系统上最暴露的远程攻击面之一，而内存损坏漏洞在真实浏览器利用中持续扮演核心角色。尽管经历了十年密集的浏览器测试与漏洞披露工作，安全社区至今仍缺乏面向防御的、对浏览器低层级攻击面的显式系统化分类。先前相关综述已调查了浏览器漏洞与缓解技术，但这些视角仍显零散，未能解答一个核心问题：现代Web浏览器的低层级攻击面如何构成？现有安全测试对攻击面中哪些部分探索不足？我们通过三个子问题展开研究：（RQ1）浏览器的攻击面如何根据输入类别与组件进行结构化？（RQ2）内存损坏漏洞在此分类体系中如何分布？（RQ3）这些攻击面模式对现有浏览器安全测试有何启示？为回答RQ1，我们推导出基于架构的“输入×组件×权限”分类体系，将浏览器架构抽象为统一视图。为回答RQ2，我们将2016至2025年间披露的2,233份内存损坏报告映射至该分类体系。为回答RQ3，我们根据目标输入类别对十年来学术界的浏览器模糊测试工具进行分类，并将其叠加至漏洞密度分布图上。系统化分析显示，当前测试集中于已被充分探索的组件，而漏洞密集、高影响力的攻击面仍测试不足。此外，我们识别出三个独立于学术工作的模糊测试部署缺口。本研究为未来浏览器安全研究提供了结构化基础。