Fuzzing a WKWebView-based Browser session

by Ali Juma ​Slide Deck

ajuma: Chrome implements WKWebView and implements features using JS injection

ajuma: WKScriptMessageHandlers expose attack surface area

ajuma: Fuzzing implementation uses ASan to create logs on errors

ajuma: tests cases are a combination of set of fuzzed html test cases and context free

ajuma: Uses google/clusterfuzz to handle overhead (dedup, etc)

ajuma: iOS14+ limited js to isolated worlds, but still a good fuzzing target

ajuma: Fuzzer works with a macOS script to communicate with an XCUITest test host and app host. Working directly with the iOS simulator is somewhat unreliable currently, and looking for improvements

ajuma: Also looking at Catalyst builds instead of Simulator, but the Catalyst APIs seem to be an OS version behind, and no WebKit Catalyst builds.

ajuma: ClusterFuzz instance is Google internal, but if there's interest we can look into sharing more widely.

q: Where is the input randomization coming from?

ajuma: The scripts that generate the html files are internal to Google, rand APIs come from unix apis.

ajuma: Only concerned with 64bit macOS currently