Search papers, labs, and topics across Lattice.
This paper systematically categorizes the low-level attack surface of modern web browsers by developing an Input x Component x Privilege taxonomy, which provides a unified view of browser architectures. By analyzing 2,233 memory corruption reports from 2016 to 2025, the authors reveal that existing security testing predominantly targets well-explored components, leaving high-risk areas underexamined. The findings highlight significant gaps in fuzzer deployment, underscoring the need for more comprehensive testing strategies to enhance browser security.
Current browser security testing misses high-impact vulnerabilities, focusing instead on well-trodden paths while leaving critical attack surfaces exposed.
The web browser remains one of the most exposed remote attack surfaces on end-user systems, and memory-corruption flaws continue to play a central role in real-world browser exploitation. Despite a decade of intensive browser testing and bug-disclosure efforts, the community still lacks an explicit, defense-oriented systematization of the browser's low-level attack surface. Prior SoKs have surveyed browser vulnerabilities and mitigation techniques. However, these perspectives remain fragmented, leaving open a central question: how is the low-level attack surface of modern web browsers structured, and which parts of this surface remain underexplored by existing security testing? We approach this primary question through three sub-questions. (RQ1) How is the browser's attack surface structured along input classes and components? (RQ2) Where do memory corruption vulnerabilities arise within this taxonomy? (RQ3) What do these attack-surface patterns imply for existing browser security testing? To answer RQ1, we derive an architecture-grounded Input x Component x Privilege taxonomy that abstracts the architectures of browsers into a unified view. To answer RQ2, we map 2,233 memory corruption reports disclosed between 2016 and 2025 onto this taxonomy. To answer RQ3, we overlay a decade of academic browser fuzzers, classified by the targeted input class, onto the bug-density map. Our systematization reveals that current testing concentrates on well-explored components while bug-dense, high-impact surfaces remain insufficiently tested. Moreover, we identify three fuzzer deployment gaps, which are orthogonal to the academic efforts. Our work offers a structured foundation for future browser security research.