This repository contains the fuzzer described in the paper: "IPCrafter", a browser IPC fuzzer to discover site isolation bypass vulnerabilities. The fuzzer utilizes WebIDL definitions to generate HTML/JS inputs utilizing the browser JS API. The browser is instrumented with Playwright to simulate user interactions. We patched Chrome and Firefox to add our Site Isolation bypass bug oracles and the IPC fuzzer component that mutates IPC messages sent by the renderer process. The patched browsers are located in other repositories as listed below.
ipcrafter/: The fuzzer written in Pythondata/: Results of the coverage measurementsdocker/: Dockerfile to run the fuzzer with several instanceseval: Dockerfiles to evaluate the fuzzer on old versions of the browsers with known vulnerabilities, also contains the results of the evaluationgenerator/: Module of the fuzzer that generates the fuzzer inputstmuxp/: tmuxp files to start the fuzzer and the serversvulns/: The vulnerabilities found by the fuzzerserver/: The webserver hosting the fuzzer inputs
- chromium patched Chromium with sanitizers and fuzzer bindings in branches
ipc-fuzzer/currentandpatch/.... - gecko-dev patched Firefox with sanitizers and fuzzer bindings in branch
patch/125 - webidl.js patched WebIDL parser, used to convert
.idlfiles to json - fuzzorigin UXSS fuzzer by Kim et al., patched to run in our evaluation environment
- Compile the browsers and place them at
browsersdirectory- how to build chrome
- we provide Docker containers to compile and run old browser revisions
- The fuzzer depends on python3.12, install it if not already installed
- Install the dependencies
python3.12 -m venv .venv && source .venv/bin/activate && pip3.12 install -r requirements.txt - Convert the
.idlfiles to.jsonfiles using thewebidl2jsontool
cd generator/webidl2json && npm install && node parse.js ./idl/chrome ./json/chrome
- Run the fuzzer
source .venv/bin/activate && python3.12 -m ipcrafter -w ./generator/webidl2json/json/chrome -m ./generator/mdn -b chrome -s ./server -o ./chromium.json -t ./browsers/chrome-ipc-fuzzing/src/out/Coverage/chrome
Since the fuzzer also requires 2 web servers, we provide tmuxp files to start the fuzzer and the servers: tmuxp load tmuxp/chrome_fuzzer_session.yml