Need help with DIE?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

173 Stars 33 Forks 17 Commits 7 Opened issues


Fuzzing JavaScript Engines with Aspect-preserving Mutation

Services available


Need anything else?

Contributors list

No Data


Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details.


Tested on Ubuntu 18.04 with following environment. * Python v3.6.10 * npm v6.14.6 * n v6.7.0

General Setup

For nodejs and npm,

$ sudo apt-get -y install npm
$ sudo npm install -g n
$ sudo n stable
For redis-server,
$ sudo apt install redis-server
we choose clang-6.0 to compile afl and browsers smoothly.
$ sudo apt-get -y install clang-6.0

DIE Setup

To setup environment for AFL,

$ cd fuzz/scripts
$ sudo ./

To compile whole project,

$ ./

Server Setup

  • Make Corpus Directory (We used Die-corpus as corpus)
    $ git clone
    $ python3 ./fuzz/scripts/ ./DIE-corpus ./corpus
  • Make ssh-tunnel for connection with redis-server
    $ ./fuzz/scripts/
  • Dry run with corpus
    $ ./fuzz/scripts/ [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
    # Example
    $ ./fuzz/scripts/ ~/ch ./DIE-corpus ch
    It's done! Your corpus is well executed and the data should be located on redis-server.


To check the redis-data,

$ redis-cli -p 9000> keys *
If the result contains "crashBitmap", "crashQueue", "pathBitmap", "newPathsQueue" keys, the fuzzer was well registered and executed.

Client Setup

  • Make ssh-tunnel for connection with redis-server

    $ ./fuzz/scripts/
  • Usage ``` $ ./fuzz/scripts/ [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]


    $ ./fuzz/scripts/ ~/ch ./DIE-corpus ch ```

  • Check if it's running

    $ tmux ls
    You can find a session named
    if it's running.


We used d8 to profile type information. So, please change d8_path in fuzz/TS/typer/ before execution.

cd fuzz/TS/typer
python3 [corpus directory]

*.jsi file will be created if instrumentation works well. *.t file will be created if profiling works well.


If you find bugs and get CVEs by running DIE, please let us know.

  • ChakraCore: CVE-2019-0609, CVE-2019-1023, CVE-2019-1300, CVE-2019-0990, CVE-2019-1092
  • JavaScriptCore: CVE-2019-8676, CVE-2019-8673, CVE-2019-8811, CVE-2019-8816
  • V8: CVE-2019-13730, CVE-2019-13764, CVE-2020-6382



  title        = {{Fuzzing JavaScript Engines with Aspect-preserving Mutation}},
  author       = {Soyeon Park and Wen Xu and Insu Yun and Daehee Jang and Taesoo Kim},
  booktitle    = {Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland)},
  month        = may,
  year         = 2020,
  address      = {San Francisco, CA},

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.