A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript.
⇒ fuzzilli는 FuzzIL라는 커스텀 intermediate language를 이용해서 퍼징을 수행하는 dynamic language language interpreters(자바스크립트..) 를 위한 퍼저이다.
The basic steps to use this fuzzer are:
Download the source code for one of the supported JavaScript engines(v8…). See the Targets/ directory for the list of supported JavaScript engines.
Apply the corresponding patches from the target's directory. Also see the README.md in that directory.
# Target: v8
To build v8 for fuzzing:
1. Follow the instructions at <https://v8.dev/docs/build>
2. Run the fuzzbuild.sh script in the v8 root directory
3. out/fuzzbuild/d8 will be the JavaScript shell for the fuzzer
Note that sanitizer coverage for v8 is currently not supported on macOS as it is missing from v8's custom clang toolchain.
Compile the engine with coverage instrumentation (requires clang >= 4.0) as described in the README.
Compile the fuzzer: swift build [-c release] ⇒ 퍼저 컴파일
Run the fuzzer: swift run [-c release] FuzzilliCli --profile=<profile> [other cli options] /path/to/jsshell. See also swift run FuzzilliCli --help. ⇒ 퍼저 실행
Building and running Fuzzilli and the supported JavaScript engines inside Docker and on Google Compute Engine is also supported.