SbxBrk is an academic prototype for fuzzing the V8 heap sandbox through controlled fault injection. Built on LibAFL, it instruments all memory loads crossing the security boundary between trusted and untrusted domains and injects faults via bitmasks before data from the heap sandbox reaches trusted code. Using SbxBrk, we discovered 19 security bugs in V8's heap sandbox.
For the full details, see the paper: SbxBrk.
If you use SbxBrk in your research, please cite our paper:
@inproceedings{10.1145/3719027.3765027,
author = {Bars, Nils and Bernhard, Lukas and Schloegel, Moritz and Holz, Thorsten},
title = {Empirical Security Analysis of Software-based Fault Isolation through Controlled Fault Injection},
year = {2025},
isbn = {9798400715259},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3719027.3765027},
doi = {10.1145/3719027.3765027},
booktitle = {Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security},
pages = {2639–2652},
numpages = {14},
keywords = {browser security, fuzzing, software-based fault isolation},
location = {Taipei, Taiwan},
series = {CCS '25}
}| Repository | Description |
|---|---|
| SbxBrk | Main artifact — setup instructions, Docker environment, and orchestration for all components. Start here. |
| fuzzer | The core fuzzer runtime written in Rust (built on LibAFL). Implements fault injection, mutation strategy, input scheduling, and sandbox-aware instrumentation. |
| V8 | V8 fork with build configuration and the heap_sandbox_fuzzing_pass — a custom LLVM pass that instruments heap sandbox memory loads for fault injection. |
| AFLplusplus | Custom AFL++ fork with LLVM 21 support, used as the compiler for coverage instrumentation of the V8 target. |
| FuzzilliSbx | Modified Fuzzilli used as the baseline fuzzer for comparison in the paper's evaluation. |
| evaluation | Scripts and seed files for reproducing the bug-finding and coverage experiments from the paper. |
The entire toolchain runs inside a Docker container (Ubuntu 24.04, x86_64). See the main repository for full setup and usage instructions.
git clone --recurse-submodules https://github.com/SbxBrk/SbxBrk.git
cd SbxBrk
./env/build.sh # build the Docker environment
./env/start.sh # enter the containerThe version that received all three badges during artifact evaluation is also available on Zenodo.