DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing

Abstract

Web browsers are ubiquitous and execute untrusted JavaScript (JS) code. JS engines optimize frequently executed code through just-in-time (JIT) compilation. Subtly conflicting assumptions between optimizations frequently result in JS engine vulnerabilities. Attackers can take advantage of such diverging assumptions and use the flexibility of JS to craft exploits that produce a miscalculation, remove bounds checks in JIT compiled code, and ultimately gain arbitrary code execution. Classical fuzzing approaches for JS engines only detect bugs if the engine crashes or a runtime assertion fails. Differential fuzzing can compare interpreted code against optimized JIT compiled code to detect differences in execution. Recent approaches probe the execution states of JS programs through ad-hoc JS functions that read the value of variables at runtime. However, these approaches have limited capabilities to detect diverging executions and inhibit optimizations during JIT compilation, thus leaving JS engines under-tested. We propose DUMPLING, a differential fuzzer that compares the full state of optimized and unoptimized execution for arbitrary JS programs. Instead of instrumenting the JS input, DUMPLING instruments the JS engine itself, enabling deep and precise introspection. These extracted fine-grained execution states, coined as (frame) dumps, are extracted at a high frequency even in the middle of JIT compiled functions. DUMPLING finds eight new bugs in the thoroughly tested V8 engine, where previous differential fuzzing approaches struggled to discover new bugs.

For further details please consult the conference publication.

Team

• Liam Wachter
• Julian Gremminger
• Christian Wressnegger
• Mathias Payer
• Flavio Toffalini (Contact)

Proof-of-Concept Implementations

For the sake of reproducibility and to foster future research, we make the implementations of DUMPLING publicly available at:

https://github.com/two-heart/dumpling-artifact-evaluation

Publication

A detailed description of our work was presented at the 32nd Network and Distributed System Security Symposium (NDSS) in February 2025. If you would like to cite our work, please use the reference as provided below:

@InProceedings{Wachter2025DUMPLING,
author    = {Liam Wachter and Julian Gremminger and Christian Wressnegger and Mathias Payer and Flavio Toffalini},
title     = {{DUMPLING}: {F}ine-grained Differential {JavaScript} Engine Fuzzing},
booktitle = ndss,
year      = {2025},
month     = feb,
}

A preprint of the paper is available here.