« Inbox: Zeroed
Deconfirmed »

CSS grammar fuzzer

I wrote a CSS grammar fuzzer to test Gecko's CSS parser. This fuzzer's tricks:

Declarative context-free grammar. This makes it easy to add new CSS features to the fuzzer, or even use it to test grammars other than CSS. Each symbol can be a star, concatenation, or list of alternatives. Unlike a parser, a fuzzer has to make decisions about what to create, so alternatives can be given weights and stars have a suggested number of repetitions. This alone was enough to find at least one bug in Gecko.

Breaking rules. Like any good fuzzer, it doesn't always follow the given context-free grammar. Sometimes it does weird stuff, such as inserting a random symbol, to throw the parser off. I was surprised that this only found one additional bug in Gecko. Perhaps this reflects the comprehensive error handling requirements of the CSS specifications and the corresponding test suites.

Grammatical recursion. When the fuzzer notices that a symbol is the same as an ancestor, it can repeat the parts of the final string between the two symbols. This is effective at finding bugs where large input can cause a recursive algorithm to run out of stack space and crash. This found four grammar-recursion crashes in Gecko.

CSS serialization. The fuzzer makes sure that any text that comes out of the browser's stylesheet serializer survives another trip through the parser and serializer. This is the same trick jsfunfuzz uses to test the JavaScript engine decompiler. This helped fine four incorrect-serialization bugs in Gecko.

None of these Gecko bugs seem to be security holes. I shared the fuzzer with other browser vendors privately for over a month, and nobody asked me to delay the release, so I believe it didn't find security holes in other browsers either. But I think this has more to do with CSS parsing being fairly simple and self-contained than any weakness in the fuzzer.

After CanSecWest, I'm going to try using this fuzzer to generate JavaScript expressions that crash parsers that use recursion incautiously. Unless someone beats me to it, of course ;) (jsfunfuzz already creates many types of weird JavaScript, but can't look for grammatical recursion opportunities easily because it is written in a functional style rather than a declarative style.)

This fuzzer is written in JavaScript and is MIT licensed. I'd love to hear what other people manage to do with it. Get it here.

This entry was posted on Monday, March 16th, 2009 at 7:28 pm and is filed under CSS, Fuzzing, Mozilla. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 Responses to “CSS grammar fuzzer”

  1. Robin Says:
    March 17th, 2009 at 2:46 am

    I’m guessing bug #476744 is the meta bug for this fuzzer. Any reason it’s a security bug (and hence ‘Access Denied’ for me)?

  2. Ian M Says:
    March 17th, 2009 at 3:17 am

    Wow – this is seriously cool :)

    A site for all your different fuzzers would be quite cool.

  3. Ian M Says:
    March 17th, 2009 at 4:03 am

    Dugg – http://digg.com/security/CSS_fuzzer_created_to_test_CSS_parsers_finds_crash_bugs

  4. Jesse Ruderman Says:
    March 17th, 2009 at 10:00 am

    Thanks for catching that, Robin. https://bugzilla.mozilla.org/show_bug.cgi?id=476744 is now public.

  5. Jesse Ruderman Says:
    March 17th, 2009 at 10:01 am

    Ian – can you live with http://www.squarefree.com/categories/fuzzing/ for now? ;)

  6. New CSS Grammar Fuzzer at Mozilla Security Blog Says:
    March 17th, 2009 at 2:25 pm

    […] Jesse Ruderman just blogged about a new CSS grammar fuzzer of his, to go along with the JS fuzzer we announced a while […]

  7. Ajaxian » Fuzzy CSS Grammar Says:
    March 25th, 2009 at 4:39 am

    […] Jesse Ruderman, security extraordinaire, has created many fuzzers in his time including a JavaScript one, and this time he has created a CSS gramar fuzzer: […]