Free Dozer fuzzer found 31 bugs in main browsers

Hackers from the Project Zero project of Google have laid out in open access a tool for automatic testing programs for bugs - Dozer fuzzer . The effectiveness of the program is proven in practice: it found 31 bugs in five popular browsers. The test results are shown in the table.
Number of bugs
Project Zero Bug Identifiers
994, 1024
1130, 1155, 1160, 1185
Internet Explorer
1011, 1076, 1118, 1233
1011, 1254, 1255, 1264, 1301, 1309
999, 1038, 1044, 1080, 1082, 1087,
1090, 1097, 1105, 1114, 1241, 1242,
1243, 1244, 1246, 1249, 1250
31 *
* Two bugs belong to two browsers, so the total number is 31, not 33, as follows from the summation of numbers in the column
** One of the bugs is actually in the Skia graphics library, and not in the source code of Firefox itself. But since this code is added to the browser by the Firefox developers, it will be honest to consider it in the table

Domato is specially designed to uncover bugs in browser DOM engines. DOM engines are part of the rendering engine in every browser, and it is in this part that many bugs are often hidden. Occasionally they are even used by highly advanced intruders, including from state security services. For example, it was the bug in the Firefox DOM engine that the security services used to create a malicious exploit for the Tor browser . Exploit found security experts in November last year. More precisely, as they discovered: it accidentally leaked from the company Exodus Intel, which specializes in the purchase and development of exploits in order to resell them to intelligence agencies and law enforcement agencies from different countries.

The guys from Google traditionally fight with similar methods of state surveillance. Perhaps that case with the Tor browser suggested the creation of a fuzzer to identify vulnerabilities in DOM engines. Its author was the famous hacker Ivan Fratric. However, even without this case, the creation of such a tool suggested itself: Fratrich writes that a rare security update for any browser does not close bugs in the DOM engine, as they are often encountered. Previously, the title of the main hole belonged to Flash, but as this technology was abandoned, this title gradually passes to the DOM engine.

Now Fratrich has posted Domato in open access with the expectation that others will improve this useful tool. By the way, almost all large vendors pay for the found vulnerabilities, so a good fuzzer can earn you many thousands of dollars.

While checking the browsers, the results of which are given above, the fuzzing was to generate a random code and submit it to the browser in the hope that it would crash, and so about 100 million times. According to Fratrich, fuzzing of this magnitude in the Google Compute Engine cloud would cost about $ 1000.

Phazzer found about the same number of bugs in Chrome, Firefox, Internet Explorer and Edge, but a lot more bugs in Safari, which stands out among the rest. To date, all these bugs are closed, because Apple got access to Domato beforehand, hiring a member of the Project Zero team, who asked Ivan to give him a fuzzer (Fratrich himself offered it to Apple due to the large number of Safari bugs, but the company proudly refused). Fratrich writes that too many bugs in Safari are especially alarming, given the intruders' interest in this platform, as indicated by the prices of exploits and recent targeted attacks.

It is also interesting to compare the number of bugs in the Chrome and Safari browsers, which several years ago worked on the same WebKit engine, while Google did not fork it, creating Blink. Apparently, since the fork in 2013, the Blink engine eliminated a large number of bugs or a large number of bugs added to the WebKit engine.

Ivan Fratrich also paid tribute to the developers from Microsoft, who created MemGC's memory garbage collector to protect against exploits using use-after-free bugs. The function is built into Edge and Internet Explorer 11. He says that the MemGC effect is obvious: if you disable this function through the OverrideMemoryProtectionSetting flag, then much more bugs that are actually present in the code are detected.


All Articles