Fuzzing the PHP Interpreter via Dataflow Fusion

PHP, a dominant scripting language in web development, powers a vast range of websites, from personal blogs to major platforms. While existing research primarily focuses on PHP application-level security issues like code injection, memory errors within the PHP interpreter have been largely overlooked. These memory errors, prevalent due to the PHP interpreter's extensive C codebase, pose significant risks to the confidentiality, integrity, and availability of PHP servers. This paper introduces FlowFusion, the first automatic fuzzing framework specifically designed to detect memory errors in the PHP interpreter. FlowFusion leverages dataflow as an efficient representation of test cases maintained by PHP developers, merging two or more test cases to produce fused test cases with more complex code semantics. Moreover, FlowFusion employs strategies such as test mutation, interface fuzzing, and environment crossover to further facilitate memory error detection. In our evaluation, FlowFusion identified 56 unknown memory errors in the PHP interpreter, with 38 fixed and 4 confirmed. We compared FlowFusion against the official test suite and a naive test concatenation approach, demonstrating that FlowFusion can detect new bugs that these methods miss, while also achieving greater code coverage. Furthermore, FlowFusion outperformed state-of-the-art fuzzers AFL++ and Polyglot, covering 24% more lines of code after 24 hours of fuzzing under identical execution environments. FlowFusion has been acknowledged by PHP developers, and we believe our approach offers a practical tool for enhancing the security of the PHP interpreter.
Comment: 15 pages, 4 figures