Update FeedbackDrivenFuzzing.md
1 file changed
tree: 7c488b537a2ec93e18c6116f9b29e83b8336becb
  1. android/
  2. docs/
  3. examples/
  4. hfuzz_cc/
  5. libhfuzz/
  6. linux/
  7. mac/
  8. posix/
  9. third_party/
  10. tools/
  11. .gitignore
  12. .gitmodules
  13. arch.h
  14. CHANGELOG
  15. cmdline.c
  16. cmdline.h
  17. common.h
  18. CONTRIBUTING
  19. COPYING
  20. display.c
  21. display.h
  22. files.c
  23. files.h
  24. fuzz.c
  25. fuzz.h
  26. honggfuzz.c
  27. log.c
  28. log.h
  29. Makefile
  30. mangle.c
  31. mangle.h
  32. README.md
  33. report.c
  34. report.h
  35. sancov.c
  36. sancov.h
  37. sanitizers.c
  38. sanitizers.h
  39. subproc.c
  40. subproc.h
  41. util.c
  42. util.h
README.md

honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for more data on the usage.

  • It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer. The file corpus is shared between threads (and fuzzed instances)
  • It's blazingly fast (esp. in the persistent fuzzing mode). A simple LLVMFuzzerTestOneInput function can be tested up to 1mo iterations per second on a modern CPU (e.g. i7-6600K)
  • Has a nice track record of uncovered security bugs: e.g. the only (to the date) vulnerability in OpenSSL with the critical score mark had been discovered by honggfuzz
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux). As opposed to other fuzzers, it will discover and report handled (catched by a signal handlers) or hidden signals
  • Easy-to-use, just provide it with input corpus (can consist of a single file) and it will work its way up expanding it using feedback-based coverage metrics
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods
  • Works (at least) under GNU/Linux, FreeBSD, Mac OS X, Windows/CygWin and Android
  • Supports persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that here
  • Can fuzz remote/standalone long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind)
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)

Code

  • Latest stable version: 0.9, but using copy of the master branch is highyl encouraged
  • Changelog

Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

The tool has been used to find a few interesting security problems in major software packages; Examples:

Examples

The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache web server.

Other

This is NOT an official Google product.