Montage is a JavaScript (JS) engine fuzzer that mutates a seed JS abstract syntax tree (AST) by leveraging a neural network language model. The model is trained on a set of JS regression tests to learn the underlying commonalities of the JS tests that previously triggered JS engine bugs. Thus, Montage aims to mutate a seed AST such that the resulting AST reflects the commonalities of the trained JS tests. The key intuition behind our approach is that a JS code similar to the previous bug-triggering JS code may trigger another bug. For more details, please refer to our paper, "Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer", which appeared in USENIX Security 2020.
Montage works on a machine running Linux with NVIDIA graphic cards. It is tested on a machine running Ubuntu 20.04 with GTX Titan XP GPUs. Python 3.8 and PyTorch 1.4.0 with CUDA are required to run Montage. Please refer to (1) this link for installing PyTorch and (2) this link for installing CUDA Toolkits. We currently support ChakraCore, V8, SpiderMonkey, and JavaScriptCore. To get ready for running Montage, please additionally run the following commands:
$ sudo apt update
$ sudo apt install nodejs npm
$ npm install [email protected] [email protected]
$ git clone https://github.com/WSP-LAB/Montage
$ cd Montage
$ pip3 install -r requirements.txt
We provide dataset used in our experiments (Sec. 7.2-7.5) in this repository.
Please refer to this link for writing a configuration file.
Phase I parses each JS file into an AST and then divides the AST into fragments. As a result, Montage represents each JS code as a sequence of fragments on which a neural network language model is trained.
$ cd Montage/src
$ python3 main.py --opt preprocess --config CONFIG_PATH
Phase II trains an LSTM model on the fragment sequences obtained from Phase I.
$ cd Montage/src
$ python3 main.py --opt train --config CONFIG_PATH
We re-engineered Montage so that a single graphic card could be enough for
training the model. However, if you see an error message saying RuntimeError: CUDA out of memory
, you need to carefully adjust the configuration file such
that it fits the memory size of your graphic card.
Phase III produces new JS tests by leveraging the trained LSTM model and logs whether they elicit bugs from JS engines. Before running Phase III, you need to build a map for identifiers predefined in the harness files.
$ cd Montage/src
$ python3 main.py --opt build_map --config CONFIG_PATH
$ python3 main.py --opt fuzz --config CONFIG_PATH
This research project has been conducted by WSP Lab and SoftSec Lab at KAIST.
To cite our paper:
@INPROCEEDINGS{lee:usenixsec:2020,
author = {Suyoung Lee and HyungSeok Han and Sang Kil Cha and Sooel Son},
title = {{Montage}: A Neural Network Language Model-Guided {JavaScript} Engine Fuzzer},
booktitle = {Proceedings of the {USENIX} Security Symposium},
pages = {2613--2630},
year = 2020
}