SoK: Taxonomizing the Low-Level Attack Surface of Modern Web Browsers

📅 2026-06-15
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the lack of a systematic, defense-oriented classification of the browser attack surface at the architectural level, which has led to uneven security testing coverage. The authors propose the first architecture-driven unified taxonomy based on a three-dimensional model—input × component × privilege—and conduct a systematic analysis of 2,233 memory corruption vulnerabilities disclosed between 2016 and 2025. By integrating vulnerability mapping, architectural abstraction, and categorization of fuzzing tools, they evaluate coverage gaps in existing fuzzers. Their findings reveal that current testing efforts are overly concentrated on well-explored components, while high-risk, high-impact areas remain significantly under-tested. The work identifies three critical gaps in academic fuzzer deployment and provides a structured foundation and directional guidance for future browser security research.
📝 Abstract
The web browser remains one of the most exposed remote attack surfaces on end-user systems, and memory-corruption flaws continue to play a central role in real-world browser exploitation. Despite a decade of intensive browser testing and bug-disclosure efforts, the community still lacks an explicit, defense-oriented systematization of the browser's low-level attack surface. Prior SoKs have surveyed browser vulnerabilities and mitigation techniques. However, these perspectives remain fragmented, leaving open a central question: how is the low-level attack surface of modern web browsers structured, and which parts of this surface remain underexplored by existing security testing? We approach this primary question through three sub-questions. (RQ1) How is the browser's attack surface structured along input classes and components? (RQ2) Where do memory corruption vulnerabilities arise within this taxonomy? (RQ3) What do these attack-surface patterns imply for existing browser security testing? To answer RQ1, we derive an architecture-grounded Input x Component x Privilege taxonomy that abstracts the architectures of browsers into a unified view. To answer RQ2, we map 2,233 memory corruption reports disclosed between 2016 and 2025 onto this taxonomy. To answer RQ3, we overlay a decade of academic browser fuzzers, classified by the targeted input class, onto the bug-density map. Our systematization reveals that current testing concentrates on well-explored components while bug-dense, high-impact surfaces remain insufficiently tested. Moreover, we identify three fuzzer deployment gaps, which are orthogonal to the academic efforts. Our work offers a structured foundation for future browser security research.
Problem

Research questions and friction points this paper is trying to address.

attack surface
web browsers
memory corruption
security testing
taxonomy
Innovation

Methods, ideas, or system contributions that make the work stand out.

attack surface taxonomy
memory corruption
browser security
fuzzing gaps
input-component-privilege model
🔎 Similar Papers
No similar papers found.