The security of modern JavaScript (JS) engines is critical since they provide the primary defense mechanism for executing untrusted code on the web. The recent integration of WebAssembly (Wasm) has transformed these engines into complex polyglot environments, creating a novel attack surface at the JS-Wasm interaction boundary due to the distinct type systems and memory models of two languages. This boundary remains largely underexplored, as previous works mainly focus on testing JS and Wasm as two isolated entities rather than investigating the security implications of their cross-language interactions. This paper proposes Weaver, an effective greybox fuzzing framework specifically tailored to uncover vulnerabilities at the JS-Wasm boundary. To comply with the language constraints, Weaver uses a type-aware generation strategy, meticulously maintaining the dual-type representation for every generated variables. This allows fuzzer to validly utilize variables across the language boundary. Besides, Weaver leverages the UCB-1 algorithm to intelligently schedule mutators and generators to maximize the discovery of new code paths. We have implemented and evaluated Weaver on three JS engines. The results indicate that Weaver achieves superior code coverage compared to state-of-the-art fuzzers. Moreover, Weaver has uncovered two new bugs in the latest versions of these engines, one of which is considered high severity and set to highest priority, demonstrating the practicality of Weaver.

翻译：摘要：现代JavaScript（JS）引擎的安全性至关重要，因其为Web上执行不可信代码提供了主要防御机制。WebAssembly（Wasm）的近期整合已将这些引擎转变为复杂的多语言环境，由于两种语言不同的类型系统和内存模型，在JS-Wasm交互边界处形成了新型攻击面。该边界尚未得到充分探索，因为先前研究主要将JS和Wasm视为两个独立实体进行测试，而非探究其跨语言交互的安全影响。本文提出Weaver，一个专门针对JS-Wasm边界漏洞发掘的有效灰盒模糊测试框架。为符合语言约束，Weaver采用类型感知生成策略，精心维护每个生成变量的双类型表示，使得模糊测试器能够有效跨语言边界使用变量。此外，Weaver利用UCB-1算法智能调度变异器与生成器，以最大化新代码路径的发现。我们在三个JS引擎上实现了Weaver并进行了评估。结果表明，与当前最先进的模糊测试器相比，Weaver实现了更优的代码覆盖率。更重要的是，Weaver已在这些引擎的最新版本中发现两个新缺陷，其中一处被评为高严重性并设为最高优先级，这证明了Weaver的实用性。