Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / honggfuzz / edf9f8da9e6e17bc86b1c5fac4455e8e3981231f
commitedf9f8da9e6e17bc86b1c5fac4455e8e3981231f[log] [tgz]
authordobin <dobin@broken.ch>Sun Jan 21 13:57:02 2018 +0100
committerdobin <dobin@broken.ch>Sun Jan 21 13:57:02 2018 +0100
tree1295e585d1d79f906eb39dc6a0df55e7d1205d6c
parentc0941ca207ca9bc2719a840553f7b5d56686492c [diff]
Support external fuzzer and provide code coverage

Aka The FFW honggfuzz patch.

This proposed patch for honggfuzz is used by the fuzzing for worms (FFW) framework available here: github.com/dobin/ffw
This patch makes it possible to use honggfuzz as a code coverage tool for long-living (network-) servers.

It provides the following functionality:
* A socket interface for an external fuzzer
* Support for code coverage of long living processes

The socket interface supports the following messages:
* Honggfuzz -> Fuzzer: "Fuzz": Send fuzz data to target
* Honggfuzz -> Fuzzer: "Cras": Target crashed
* Honggfuzz -> Fuzzer: "New!": New basic block reached
* Fuzzer -> Honggfuzz: "okay": Fuzzer sent his stuff to target
* Fuzzer -> Honggfuzz: "bad!": The server is unreachable

Honggfuzz will implement the following tasks:
* Start the target
* Restart the target if it crashes
* Restart the target if a crash/hang is detected by the fuzzer
* Provide code coverage information about new basic blocks

An example vulnerable server plus tests have been provided in the
`socketfuzzer/` directory.
15 files changed
tree: 1295e585d1d79f906eb39dc6a0df55e7d1205d6c
  1. android/
  2. docs/
  3. examples/
  4. hfuzz_cc/
  5. includes/
  6. libhfcommon/
  7. libhfnetdriver/
  8. libhfuzz/
  9. linux/
  10. mac/
  11. posix/
  12. socketfuzzer/
  13. third_party/
  14. tools/
  15. .gitignore
  16. .gitmodules
  17. arch.h
  18. CHANGELOG
  19. cmdline.c
  20. cmdline.h
  21. CONTRIBUTING
  22. COPYING
  23. display.c
  24. display.h
  25. Dockerfile
  26. fuzz.c
  27. fuzz.h
  28. honggfuzz.c
  29. honggfuzz.h
  30. input.c
  31. input.h
  32. Makefile
  33. mangle.c
  34. mangle.h
  35. README.md
  36. report.c
  37. report.h
  38. sancov.c
  39. sancov.h
  40. sanitizers.c
  41. sanitizers.h
  42. screenshot-honggfuzz-1.png
  43. socketfuzzer.c
  44. socketfuzzer.h
  45. subproc.c
  46. subproc.h
README.md

honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for more data on the usage.

  • It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores. The file corpus is shared between threads (and fuzzed instances)
  • It's blazingly fast (esp. in the persistent fuzzing mode). A simple LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K)
  • Has a nice track record of uncovered security bugs: e.g. the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux). As opposed to other fuzzers, it will discover and report hidden signals (caught and potentially hidden by signal handlers)
  • Easy-to-use, feed it a simple input corpus (can even consist of a single, 1-byte file) and it will work its way up expanding it utilizing feedback-based coverage metrics
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods known from other fuzzers (libfuzzer, afl)
  • Works (at least) under GNU/Linux, FreeBSD, Mac OS X, Windows/CygWin and Android
  • Supports persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found here
  • Can fuzz remote/standalone long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind), though the persistent fuzzing mode is suggested instead: as it's faster and multiple instances of a service can be fuzzed at once in this mode
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)

Code

  • Latest stable version: 1.3, but using the master branch is highly encouraged
  • Changelog

Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing Honggfuzz

Examples

The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache HTTPD web server.

Other

This is NOT an official Google product