Merge "Merge tag '2.3' into master" am: 5fb79d2bbb

Original change:


Change-Id: I2cf6dedcccf292fa07ebbcc88e49bf771b0f8a0b
tree: f69b47eeac6303e4f0ba33c3e347536956b31609
  1. .clang-format
  2. .gitattributes
  3. .gitignore
  4. Android.bp
  8. Dockerfile
  11. Makefile
  12. OWNERS
  14. arch.h
  15. cmdline.c
  16. cmdline.h
  17. display.c
  18. display.h
  19. docs/
  20. examples/
  21. fuzz.c
  22. fuzz.h
  23. hfuzz_cc/
  24. honggfuzz.c
  25. honggfuzz.h
  26. includes/
  27. input.c
  28. input.h
  29. libhfcommon/
  30. libhfnetdriver/
  31. libhfuzz/
  32. linux/
  33. mac/
  34. mangle.c
  35. mangle.h
  36. netbsd/
  37. posix/
  38. qemu_mode/
  39. report.c
  40. report.h
  41. sanitizers.c
  42. sanitizers.h
  43. screenshot-honggfuzz-1.png
  44. socketfuzzer.c
  45. socketfuzzer.h
  46. socketfuzzer/
  47. subproc.c
  48. subproc.h
  49. third_party/
  50. tools/



A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.



  • It‘s multi-process and multi-threaded: there’s no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
  • It's blazingly fast when the persistent fuzzing mode) is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
  • Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
  • Provides a corpus minimization mode.


  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-5.0 or newer
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)


Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing or inspired-by Honggfuzz


This is NOT an official Google product