A tool designed to synthesise semantically correct JavaScript snippets given arbitrary data.

Useful for fuzzing.

• jerryscript
• njs
• duktape
• v8

• docker
• make

• (optional) Check if you have access to docker (run docker info)
• (optional) Specify desired version of JS runtime in Makefile.conf
• Run make (jerryscript | njs | duktape | v8)
• If everything builds correctly the process will result in:
  • build/fluff_* - binary to fuzz
  • build/fluff_*_dry - binary that will convert Fluff bytecode to JS testcase (stdout)
  • build/grammars
    • js_grammar.yaml - es5.1 grammar file
    • js_grammar_es6.yaml - es6 grammar file

Typical fuzzing setup:

• Create input folder and sample testcase, i.e. mkdir in && echo "420" >> in/testcase
• Start fuzzing using afl-fuzz, for example: afl-fuzz -m none -i in -o out ./fluff_njs @@ js_grammar.yaml
• (optional) you can use build container to run fuzzing, requires some manual work

docker run -it -d -v path/to/fluff/repository/build:/home/build/fluff identifier /bin/bash
docker exec -it container_number bash
# afl-fuzz is preinstalled in /home/build/afl

• Enjoy your cup of tea/coffee and wait for crashes

Detailed information about the design of Fluff can be read in the whitepaper.

Patches, additions and other contributions are welcome! If you see a feature which you could implement or a bug which you could fix please send us a message or a pull request. If you have found some interesting bug with this tool, please leave us a message/github issue for the future Hall Of Fame.

If you want to drop us a message, feel free to send a mail to [email protected] or [email protected].