Start your engines

Google has launched the Fuzzilli Grant program to boost JS engine fuzzing research

Google has launched a new pilot program that aims to foster research into new approaches to JavaScript engine fuzzing.

A total of $50,000 in cloud computing credits is available to researchers who wish to shine fresh light on the security of JavaScript engines, including JavaScriptCore (Safari), V8 (Chrome), and Spidermonkey (Firefox).

A JavaScript engine, also known as an ECMAScript engine, is software that executes JavaScript code.

These engines are typically associated with web browsers, although they do have other applications. The open source V8 engine, for example, is a core component of runtime systems Node.js and Deno.

Like all software, JavaScript engines are not immune to security bugs. Besides static analysis, researchers commonly attempt to discover these vulnerabilities through fuzzing – an automated hacking technique that involves inputting invalid or random data which can cause the software to crash or leak data.

Caught by the fuzz

In a blog post yesterday (October 1), Google Project Zero’s Samuel Groß outlined the Fuzzilli Research Grant Program.

Interested researchers have been asked to submit a proposal for a project about fuzzing JavaScript engines. A total of $50,000 in Google Compute Engine (GCE) credits is available, to a maximum of $5,000 per submission.

Read more of the latest browser security news

According to Groß, Google is especially interested in new high-level fuzzing approaches, such as differential fuzzing; new feedback metrics to guide JavaScript engine fuzzers; new code mutation or generation approaches; and targeted approaches to fuzzing for variants of previously reported bugs.

“The proposal will be reviewed by an internal review board and, if accepted, the researchers will be awarded up to $5,000 in GCE credits per submission to be used for fuzzing,” he explained.

Researchers are being encouraged to base their project on the open source Fuzzilli fuzzer if possible, which already supports distributed fuzzing on GCE.

ANALYSIS Will the coronavirus pandemic impact browser security?