Honggfuzz is capable of performing feedback-guided (code coverage driven) fuzzing. It can utilize the following sources of data:
-fsanitize-coverage=bb
)-finstrument-functions
or -fsanitize-coverage=trace-pc[-guard],indirect-calls,trace-cmp
or both)Developers may provide the initial file corpus which will be gradually improved upon, but it's not necessary with feedback-driven modes.
-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp
- Clang >= 5.0-fsanitize-coverage=trace-pc
- GCC >= 9.0-fsanitize-coverage=bb
- Clang >= 3.7-finstrument-functions
- GCC or Clang-fsanitize-coverage=trace-pc,indirect-calls
- Clang >= 3.9Note: The -fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp set of flags will be automatically added to clang's command-line switches when using hfuzz-clang binary.
$ <honggfuzz_dir>/honggfuzz/hfuzz_cc/hfuzz-clang terminal-test.c -o terminal-test
The implemented strategy identifies files which add new code coverage (or increased instruction/branch counters). Those inputs are then added to a dynamically stored in memory corpus, and reused during following fuzzing rounds
There are 2 phases of feedback-driven the fuzzing:
Here you can use the following:
-finstrument-functions
(less-precise)-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp
(trace-cmp adds additional comparison map to the instrumentation)Note: The -fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp set of flags will be automatically added to clang's command-line switches when using hfuzz-clang binary. The hfuzz-clang binary will also link your code with libhfuzz.a
This mode will take into consideration pairs (tuples) of jumps, recording unique from-to jump pairs. The data is taken from the Intel BTS CPU registers.
$ <honggfuzz_dir>/honggfuzz --linux_perf_bts_edge -i input_corpus -- /usr/bin/xmllint -format ___FILE___
This mode will utilize Interl's PT (Process Trace) subsystem, which should be way faster than BTS (Branch Trace Store), but will currently produce less precise results.
$ <honggfuzz_dir>/honggfuzz --linux_perf_ipt_block -i input_corpus -- /usr/bin/xmllint -format ___FILE___
This mode tries to maximize the number of instructions taken during each process iteration. The counters will be taken from the Linux perf subsystems. Intel, AMD and even other CPU architectures are supported for this mode.
$ <honggfuzz_dir>/honggfuzz --linux_perf_instr -i input_corpus -- /usr/bin/xmllint -format ___FILE___
As above, it will try to maximize the number of branches taken by CPU on behalf of the fuzzed process (here: djpeg.static) while performing each fuzzing iteration. Intel, AMD and even other CPU architectures are supported for this mode.
$ <honggfuzz_dir>/honggfuzz --linux_perf_branch -i input_corpus -F 2500 -- /usr/bin/xmllint -format ___FILE___