fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard
verified publisher icon googleprojectzero

Questions about ExplorationMutator

Open chennbnbnb opened this issue 9 months ago • 0 comments

Hello, I am studying ExplorationMutator, and I think it is a good idea to assist mutation through runtime information. But I found that after detecting the type of the object, the mutation operation of ExplorationMutator is also completed through the js code, and these mutation operations are not diverse enough.

Why does ExplorationMutator need to mutate through js code? What if the type information is detected through runtime and then passed to Fuzzilli, and then Fuzzilli is responsible for mutation?

demo:

let arr = ["xxx", "yyy"];
let obj = {};
obj[arr[0]] = function(a) { ... };

explore(obj);

obj[arr[0]] will set an compute property, so Typer in Fuzzilli cannot infer that obj contains the property "xxx". Later, explore(obj) will detect the "xxx" attribute, and then pass the attribute name and the type of the attribute value to Fuzzilli, and Fuzzilli can perform more mutation operations on the attribute.

chennbnbnb avatar Apr 02 '25 12:04 chennbnbnb