Google sets up research grant for finding bugs in browser JavaScript engines


javascript-source-code.jpg

Image: Markus Spiske

Google has set up a research grant program to help and sponsor security researchers and academics find vulnerabilities in browser JavaScript engines.

The program has one rule, namely that the bugs must be identified using “fuzzing.”

Fuzzing, or fuzz testing, is a technique for identifying bugs by throwing random, invalid, or unexpected data as input into a program and analyzing the output for abnormalities.

Fuzzing rarely used to hunt bugs

The technique is broadly used inside big tech companies but rarely by security researchers working on their own as fuzzing is computationally expensive and usually requires access to vast and expensive cloud computing resources.

Security researchers working on their own usually don’t get paid until months after they filed a bug on public bug bounty platforms, and the payouts aren’t always guaranteed to cover any initial costs with renting large cloud computing resources to perform large-scale fuzzing operations.

In a blog post on Thursday, Google said it created this research grant to address this particular problem.

Via its new pilot program, security researchers and academics can apply for funds to use for fuzzing any browser JavaScript engine of their choosing.

Google says it will analyze each submission and provide an answer to all applicants within two weeks. Approved projects can receive up to $5,000 in funding.

The funds will be provided as credits for Google Compute Engine, Google Cloud’s heavy computing infrastructure, to avoid the funds being misappropriated.

Open-source tool already available

This is a special pilot program that will run only from October 1, 2020, to October 1, 2021. The program has been named the Fuzzilli Research Grant after Google’s own Fuzzilli open-source fuzzing tool, which supports distributed fuzzing on GCE and which Google encourages researchers to use.

Google said that all bugs identified during the pilot program must be reported to affected vendors. Researchers can keep additional bug bounty payouts for the bugs they find during the pilot program.

Eligible browser JavaScript engines include JavaScriptCore (Safari), V8 (Chrome, Edge), and Spidermonkey (Firefox), but security researchers can pitch other engines in their submitted proposals.

JavaScript engines are an intrinsic part of modern web browsers. Their role is to read JavaScript files and code that a browser downloads or receives from a website, interpret it, and then instruct other browser components how to render the result (the web page, animations, background operations, browser extensions, etc.).

They have a central role in a browser, and as a result, are likely to be attacked by threat actors.

“JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild 0day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome,” Samuel Groß, a security researcher part of the Google Project Zero team and the Fuzzilli author, said this week.

Additional program rules are here.



Source link

Recent articles

A Colorado Wildfire Just Climbed Over the Rockies. In October.

Smoke rises from a wildfire in Colorado on Thursday.Photo: David Zalubowski (AP)Every time you think you’ve seen it...

Lifetime Deal: “Master Addons” for Elementor / WordPress

Quickly and easily create your own stunning website with this Master Addons and Elementor for WordPress combo deal. Boost your design creativity today...

Arctic Wolf Valued at $1.3 Billion After $200 Million Funding Round

Security operations company Arctic Wolf on Thursday announced the closing of a $200 million Series E funding round that values it at $1.3...

Top Investigator in Google Case Says There ‘Was Not a Rush’ to Sue

Jeffrey A. Rosen, the deputy attorney general, wouldn’t normally oversee an antitrust investigation into Google. It would usually fall to the head of...

Xi says China not afraid of war in speech to mark Korean War | China

Chinese president strikes assertive, nationalist tone in address apparently aimed at United States.President Xi Jinping warned on Friday that China was not afraid...

Prepare for Ghost of Tsushima Legends Raid Before It Arrives Next Week

Players who’ve been enjoying the free Legends update for Ghost of Tsushima should probably start preparing themselves for the Raid, which Sucker Punch plans...

Leave a reply

Please enter your comment!
Please enter your name here