== Fuzzing a WKWebView-based Browser session == ''by Ali Juma'' [https://drive.google.com/file/d/1mDOwqiaCv4tvBSK5PcS8-5EmkCtu2D7z/view Slide Deck] ''ajuma:'' Chrome implements WKWebView and implements features using JS injection ''ajuma:'' WKScriptMessageHandlers expose attack surface area ''ajuma:'' Fuzzing implementation uses ASan to create logs on errors ''ajuma:'' tests cases are a combination of set of fuzzed html test cases and context free ''ajuma:'' Uses google/clusterfuzz to handle overhead (dedup, etc) ''ajuma:'' iOS14+ limited js to isolated worlds, but still a good fuzzing target ''ajuma:'' Fuzzer works with a macOS script to communicate with an XCUITest test host and app host. Working directly with the iOS simulator is somewhat unreliable currently, and looking for improvements ''ajuma:'' Also looking at Catalyst builds instead of Simulator, but the Catalyst APIs seem to be an OS version behind, and no WebKit Catalyst builds. ''ajuma:'' ClusterFuzz instance is Google internal, but if there's interest we can look into sharing more widely. ''q:'' Where is the input randomization coming from? ''ajuma:'' The scripts that generate the html files are internal to Google, rand APIs come from unix apis. ''ajuma:'' Only concerned with 64bit macOS currently