Investigating Forward-Porting for a Java Based OpenJDK Vulnerability for Fuzzer Benchmarking

As our society is becoming further and further digitalized, the need for secure software is simultaneously becoming even more important. Fuzzing is a method which is becoming more common for the purpose of detecting bugs and vulnerabilities within software. However, while fuzzing tools are proving to be effective, the evaluation of these tools remain difficult, partly due to a lack of proper benchmarks and performance measures. To solve this problem, Magma introduced forward-porting, a way of reintroducing bugs into later versions of that same software, which has since then been further investigated by other researchers. In this thesis, we further investigate the forward-porting system by applying it to an OpenJDK context. Specifically, we aim to find out how functional the forward-porting principle is with the later versions of OpenJDK 8. Our results suggest that for a single Java based vulnerability, the forward-porting procedure is indeed functional with the later versions of OpenJDK 8. While this thesis merely scratches the surface of a forward-porting effort within OpenJDK, we aim to provide insights into how this system can be applied within a specific OpenJDK context, in hopes of working towards improving fuzzer benchmarking.