Platform Tools Release 29.0.1 (5644136)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXSzuJgAKCRDorT+BmrEO
eAIYAJ92yVuK9sx3Nia7rHzLhB3/fLck5gCfYlbVd0vppGyf+Y6DO5LoyybwdjY=
=IGOa
-----END PGP SIGNATURE-----
Snap for 5590969 from 37df9eb97e8b1ea96ccf24acbec4690aae2ef1ff to sdk-release

Change-Id: I4b96a8383b1be9469b085e8305767ca0692f63bb
tree: 0216d428d963507374a444f568ff2b53ae0cf266
  1. .gitignore
  2. Android.bp
  3. CHANGELOG
  4. CONTRIBUTING
  5. COPYING
  6. Dockerfile
  7. METADATA
  8. MODULE_LICENSE_APACHE2
  9. Makefile
  10. OWNERS
  11. README.md
  12. arch.h
  13. cmdline.c
  14. cmdline.h
  15. display.c
  16. display.h
  17. docs/
  18. examples/
  19. fuzz.c
  20. fuzz.h
  21. hfuzz_cc/
  22. honggfuzz.c
  23. honggfuzz.h
  24. includes/
  25. input.c
  26. input.h
  27. libhfcommon/
  28. libhfnetdriver/
  29. libhfuzz/
  30. linux/
  31. mac/
  32. mangle.c
  33. mangle.h
  34. netbsd/
  35. posix/
  36. report.c
  37. report.h
  38. sanitizers.c
  39. sanitizers.h
  40. screenshot-honggfuzz-1.png
  41. socketfuzzer.c
  42. socketfuzzer.h
  43. socketfuzzer/
  44. subproc.c
  45. subproc.h
  46. third_party/
  47. tools/
README.md

honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for the description of command-line options.

  • It's multi-process and multi-threaded: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single supervising process. The file corpus is automatically shared and improved between the fuzzing threads and fuzzed processes.
  • It's blazingly fast when in the persistent fuzzing mode). A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K)
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program)
  • Easy-to-use, feed it a simple corpus directory (can even be empty) and it will work its way up expanding it utilizing feedback-based coverage metrics
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods known from other fuzzers (libfuzzer, afl)
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found here
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)


Code

Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing Honggfuzz

Examples

The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache HTTPD web server.

Other

This is NOT an official Google product