CrFuzz

A browser fuzzing framework/harness. Made for my Bachelor's degree project.

Abstract

This project introduces a novel browser fuzzing framework aimed at enhancing the automated detection and analysis of memory-related vulnerabilities in web browsers. As the complexity of browsers and their exposure to different kinds of untrusted content on the web is increasing, memory corruption issues pose significant security risks, making automated detection tools essential for maintaining browser security. The framework integrates existing payload generators, Domato and FreeDom, with a programmatically controlled browser environment, which leverages AddressSanitizer instrumentation for detection of crashes. Key aspects include automated test case minimization, support for testing various browser feature configurations, a comprehensive logging system, and a batch system for automated execution and management of fuzzing and analysis. Evaluation on the Chromium web browser demonstrated the effectiveness of this browser fuzzing framework, identifying 22 unique crashes. Analysis confirmed test case reduction capabilities of payloads and the isolation of specific browser features required to trigger the crash. This project contributes to the field of browser security by advancing automated vulnerability detection through a comprehensive framework encompassing both the discovery and analysis process necessary for effective vulnerability remediation. Future work includes support for additional browsers and targeted techniques for improving reproducibility in certain crash scenarios.

Keywords: browser security, browser fuzzing, browser vulnerability detection, AddressSanitizer, Chromium, test case minimization

Directory structure

Diagram of the fuzzing process