DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing
Liam Wachter
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · JavaScript Security
Liam Wachter's presentation at the NDSS Symposium introduced DUMPLING, a novel approach to **fine-grained differential JavaScript engine fuzzing**. The talk addresses a critical security challenge within modern JavaScript engines like V8, which powers Chrome-based browsers. These engines employ multiple execution tiers—an interpreter and several Just-In-Time (JIT) compilers—all of which must adhere to the exact same JavaScript semantics. Any discrepancy in how these tiers execute the same code, no matter how subtle (e.g., returning `-0.0` versus `+0.0` for a floating-point value), can create a **differential bug**. Such bugs are not merely functional quirks; they represent exploitable vulnerabilities that can lead to remote code execution (RCE) in the browser's renderer process.
AI review
Solid academic security research with a genuinely clever core insight: hijack existing deoptimization machinery to transparently snapshot JIT VM state without perturbing the optimizer you're trying to test. Eight new V8 bugs, Google bounties, and competitive fuzzing throughput are concrete validation. Not a 5 because the within-engine constraint is a real limitation and the bug count, while meaningful, leaves open how many are exploitable versus theoretical state divergences.