Google Git
Sign in
android / platform / external / honggfuzz / 5413f0a42e122aeb28f087f4177628b745083ac0
commit5413f0a42e122aeb28f087f4177628b745083ac0[log] [tgz]
authorRobert Swiecki <robert@swiecki.net>Wed Jul 22 21:51:47 2020 +0200
committerRobert Swiecki <robert@swiecki.net>Wed Jul 22 21:52:14 2020 +0200
tree72d5e2df4cff7c49b68d4a3b4368ac286a27b9e4
parentfb133c8a3972a89a37ce62b28854025304d1504f [diff]
Prepare for version 2.3
3 files changed
tree: 72d5e2df4cff7c49b68d4a3b4368ac286a27b9e4
  1. android/
  2. docs/
  3. examples/
  4. hfuzz_cc/
  5. includes/
  6. libhfcommon/
  7. libhfnetdriver/
  8. libhfuzz/
  9. linux/
  10. mac/
  11. netbsd/
  12. posix/
  13. qemu_mode/
  14. socketfuzzer/
  15. third_party/
  16. tools/
  17. .clang-format
  18. .gitattributes
  19. .gitignore
  20. .gitmodules
  21. arch.h
  22. CHANGELOG
  23. cmdline.c
  24. cmdline.h
  25. CONTRIBUTING.md
  26. COPYING
  27. display.c
  28. display.h
  29. Dockerfile
  30. fuzz.c
  31. fuzz.h
  32. honggfuzz.c
  33. honggfuzz.h
  34. input.c
  35. input.h
  36. Makefile
  37. mangle.c
  38. mangle.h
  39. README.md
  40. report.c
  41. report.h
  42. sanitizers.c
  43. sanitizers.h
  44. screenshot-honggfuzz-1.png
  45. socketfuzzer.c
  46. socketfuzzer.h
  47. subproc.c
  48. subproc.h
README.md

Honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.

Code

Features

  • It‘s multi-process and multi-threaded: there’s no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
  • It's blazingly fast when the persistent fuzzing mode) is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
  • Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
  • Provides a corpus minimization mode.

Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-5.0 or newer
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing or inspired-by Honggfuzz

Contact

This is NOT an official Google product