Honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.

Code

• Latest stable version: 2.3
• Changelog

Features

• It‘s multi-process and multi-threaded: there’s no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
• It's blazingly fast when the persistent fuzzing mode) is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
• Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
• Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
• Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
• Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
• Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
• Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
• It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
• Provides a corpus minimization mode.

Requirements

• Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
• FreeBSD - gmake, clang-5.0 or newer
• NetBSD - gmake, clang, capstone, libBlocksRuntime
• Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
• Windows - CygWin
• Darwin/OS X - Xcode 10.8+
• if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

• Dozens of security problems via the OSS-Fuzz project
• Pre-auth remote crash in OpenSSH
• Apache HTTPD
  • Remote crash in mod_http2 • CVE-2017-7659
  • Use-after-free in mod_http2 • CVE-2017-9789
  • Memory leak in mod_auth_digest • CVE-2017-9788
  • Out of bound access • CVE-2018-1301
  • Write after free in HTTP/2 • CVE-2018-1302
  • Out of bound read • CVE-2018-1303
• Various SSL libs
  • Remote OOB read in OpenSSL • CVE-2015-1789
  • Remote Use-after-Free (potential RCE, rated as critical) in OpenSSL • CVE-2016-6309
  • Remote OOB write in OpenSSL • CVE-2016-7054
  • Remote OOB read in OpenSSL • CVE-2017-3731
  • Uninitialized mem use in OpenSSL
  • Crash in LibreSSL
  • Invalid free in LibreSSL
  • Uninitialized mem use in BoringSSL
• Adobe Flash memory corruption • CVE-2015-0316
• Multiple bugs in the libtiff library
• Multiple bugs in the librsvg library
• Multiple bugs in the poppler library
• Multiple exploitable bugs in IDA-Pro
• Remote DoS in Crypto++ • CVE-2016-9939
• Programming language interpreters
  • PHP/Python/Ruby
  • PHP WDDX
  • PHP
  • Perl: #1, #2, #3
• Double-free in LibXMP
• Heap buffer overflow in SAPCAR • CVE-2017-8852
• Crashes in libbass
• FreeType 2:
  • CVE-2010-2497
  • CVE-2010-2498
  • CVE-2010-2499
  • CVE-2010-2500
  • CVE-2010-2519
  • CVE-2010-2520
  • CVE-2010-2527
• Stack corruption issues in the Windows OpenType parser: #1, #2, #3
• Infinite loop in NGINX Unit
• A couple of problems in the MATLAB MAT File I/O Library: #1, #2, #3, #4, #5
• Samba tdbdump + tdbtool, #2, #3, #4, #5, #6 CVE-2019-14907 CVE-2020-10745
• Crash in djvulibre
• Multiple crashes in VLC
• Buffer overflow in ClassiCube
• Heap buffer-overflow (or UAF) in MPV
• Heap buffer-overflow in picoc
• Crashes in OpenCOBOL: #1, #2
• DoS in ProFTPD: #1, #2
• Multiple security problems in ImageIO (iOS/MacOS)
• Memory corruption in htmldoc
• Memory corruption in OpenDetex
• Memory corruption in Yabasic
• Memory corruption in Xfig
• Memory corruption in LibreOffice
• Memory corruption in ATasm
• Memory corruption in LibRaw
• Rust:
  • panic() in regex #1, #2, #3
  • panic() in h2 #1, #2, #3
  • panic() in sleep-parser #1
  • panic() in lewton #1
  • panic()/DoS in Ethereum-Parity #1
  • crash() in Parts - a GPT partition manager #1
  • crashes in rust-bitcoin/rust-lightning #1
• ... and more

Projects utilizing or inspired-by Honggfuzz

• QuickFuzz by CIFASIS
• OSS-Fuzz
• Frog And Fuzz
• interpreters fuzzing: by dyjakan
• riufuzz: honggfuzz with AFL-like UI
• h2fuzz: fuzzing Apache's HTTP/2 implementation
• honggfuzz-dharma: honggfuzz with dharma grammar fuzzer
• Owl: a system for finding concurrency attacks
• honggfuzz-docker-apps
• FFW: Fuzzing For Worms
• honggfuzz-rs: fuzzing Rust with Honggfuzz
• roughenough-fuzz
• Monkey: a HTTP server
• Killerbeez API: a modular fuzzing framework
• FuzzM: a gray box model-based fuzzing framework
• FuzzOS: by Mozilla Security
• Android: by OHA
• QDBI: by Quarkslab
• fuzzer-test-suite: by Google
• DeepState: by Trail-of-Bits
• Quiche-HTTP/3: by Cloudflare
• Bolero: fuzz and property testing framework
• pwnmachine: a vagrantfile for exploit development on Linux
• Quick700: analyzing effectiveness of fuzzers on web browsers and web servers
• python-fuzz: gluing honggfuzz and python3
• Magma: a ground-truth fuzzing benchmark
• arbitrary-model-tests: a procedural macro for testing stateful models
• Clusterfuzz: the fuzzing engine behind OSS-fuzz/Chrome-fuzzing
• Apache HTTP Server
• centos-fuzz
• FLUFFI: Fully Localized Utility For Fuzzing Instantaneously by Siemens
• Fluent Bit: a fast log processor and forwarder for Linux
• Samba: a SMB server
• universal-fuzzing-docker: by nnamon
• Canokey Core: core implementations of an open-source secure key
• uberfuzz2: a cooperative fuzzing framework
• TiKV: a distributed transactional key-value database
• fuzz-monitor
• libmutator: a C library intended to generate random test cases by mutating legitimate test cases
• StatZone: a DNS zone file analyzer
• shub-fuzz/honggfuzz: singularity image for honggfuzz
• Code Intelligence: fuzzing-as-a-service
• SpecFuzz: fuzzing for Spectre vulnerabilities
• rcc: a Rust C compiler
• EIP1962Fuzzing: Fuzzy testing of various EIP1962 implementations
• wasm-fuzz: Fuzzing of wasmer, blog post
• propfuzz: Rust tools to combine coverage-guided fuzzing with property-based testing - from Facebook
• Bitcoin Core: fuzzing
• ESP32-Fuzzing-Framework: A Fuzzing Framework for ESP32 applications
• Fuzzbench: Fuzzer Benchmarking As a Service
• rumpsyscallfuzz: NetBSD Rump Kernel fuzzing
• libnbd: fuzzing libnbd with honggfuzz
• P0: Fuzzing ImageIO
  • TrapFuzz: by P0
• Rust's fuzztest
  • and multiple Rust projecs

Contact

• User mailing list: honggfuzz@googlegroups.com, sign up with this link.

This is NOT an official Google product