Honggfuzz
Description
A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.
Code
Features
- It's multi-process and multi-threaded: there's no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
- It's blazingly fast when the persistent fuzzing mode is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
- Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
- Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
- Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
- Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
- Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
- Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
- It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
- Provides a corpus minimization mode.
Requirements
- Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
- FreeBSD - gmake, clang-5.0 or newer
- NetBSD - gmake, clang, capstone, libBlocksRuntime
- Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
- Windows - CygWin
- Darwin/OS X - Xcode 10.8+
- if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)
Trophies
Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:
- Dozens of security problems via the OSS-Fuzz project
- Pre-auth remote crash in OpenSSH
- Apache HTTPD
- Various SSL libs
- Remote OOB read in OpenSSL • CVE-2015-1789
- Remote Use-after-Free (potential RCE, rated as critical) in OpenSSL • CVE-2016-6309
- Remote OOB write in OpenSSL • CVE-2016-7054
- Remote OOB read in OpenSSL • CVE-2017-3731
- Uninitialized mem use in OpenSSL
- Crash in LibreSSL
- Invalid free in LibreSSL
- Uninitialized mem use in BoringSSL
- Adobe Flash memory corruption • CVE-2015-0316
- Multiple bugs in the libtiff library
- Multiple bugs in the librsvg library
- Multiple bugs in the poppler library
- Multiple exploitable bugs in IDA-Pro
- Remote DoS in Crypto++ • CVE-2016-9939
- Programming language interpreters
- Double-free in LibXMP
- Heap buffer overflow in SAPCAR • CVE-2017-8852
- Crashes in libbass
- FreeType 2:
- Stack corruption issues in the Windows OpenType parser: #1, #2, #3
- Infinite loop in NGINX Unit
- A couple of problems in the MATLAB MAT File I/O Library: #1, #2, #3, #4, #5
- Samba tdbdump + tdbtool, #2, #3, #4, #5, #6 CVE-2019-14907 CVE-2020-10745 CVE-2021-20277
- Crash in djvulibre
- Multiple crashes in VLC
- Buffer overflow in ClassiCube
- Heap buffer-overflow (or UAF) in MPV
- Heap buffer-overflow in picoc
- Crashes in OpenCOBOL: #1, #2
- DoS in ProFTPD: #1 • #2
- Multiple security problems in ImageIO (iOS/MacOS)
- Memory corruption in htmldoc
- Memory corruption in OpenDetex
- Memory corruption in Yabasic
- Memory corruption in Xfig
- Memory corruption in LibreOffice
- Memory corruption in ATasm
- Memory corruption in oocborrt • CVE-2020-24753
- Memory corruption in LibRaw
- NULL-ptr deref in peg-markdown
- Uninitialized value in MD4C • CVE-2020-26148
- 17 new bugs in fwupd
- Assertion in libvips
- Rust:
- ... and more
Projects utilizing or inspired-by Honggfuzz
- QuickFuzz by CIFASIS
- OSS-Fuzz
- Frog And Fuzz
- interpreters fuzzing: by dyjakan
- riufuzz: honggfuzz with AFL-like UI
- h2fuzz: fuzzing Apache's HTTP/2 implementation
- honggfuzz-dharma: honggfuzz with dharma grammar fuzzer
- Owl: a system for finding concurrency attacks
- honggfuzz-docker-apps
- FFW: Fuzzing For Worms
- honggfuzz-rs: fuzzing Rust with Honggfuzz
- roughenough-fuzz
- Monkey: a HTTP server
- Killerbeez API: a modular fuzzing framework
- FuzzM: a gray box model-based fuzzing framework
- FuzzOS: by Mozilla Security
- Android: by OHA
- QDBI: by Quarkslab
- fuzzer-test-suite: by Google
- DeepState: by Trail-of-Bits
- Quiche-HTTP/3: by Cloudflare
- Bolero: fuzz and property testing framework
- pwnmachine: a vagrantfile for exploit development on Linux
- Quick700: analyzing effectiveness of fuzzers on web browsers and web servers
- python-fuzz: gluing honggfuzz and python3
- Magma: a ground-truth fuzzing benchmark
- arbitrary-model-tests: a procedural macro for testing stateful models
- Clusterfuzz: the fuzzing engine behind OSS-fuzz/Chrome-fuzzing
- Apache HTTP Server
- centos-fuzz
- FLUFFI: Fully Localized Utility For Fuzzing Instantaneously by Siemens
- Fluent Bit: a fast log processor and forwarder for Linux
- Samba: a SMB server
- universal-fuzzing-docker: by nnamon
- Canokey Core: core implementations of an open-source secure key
- uberfuzz2: a cooperative fuzzing framework
- TiKV: a distributed transactional key-value database
- fuzz-monitor
- libmutator: a C library intended to generate random test cases by mutating legitimate test cases
- StatZone: a DNS zone file analyzer
- shub-fuzz/honggfuzz: singularity image for honggfuzz
- Code Intelligence: fuzzing-as-a-service
- SpecFuzz: fuzzing for Spectre vulnerabilities
- rcc: a Rust C compiler
- EIP1962Fuzzing: Fuzzy testing of various EIP1962 implementations
- wasm-fuzz: Fuzzing of wasmer, blog post
- propfuzz: Rust tools to combine coverage-guided fuzzing with property-based testing - from Facebook
- Bitcoin Core: fuzzing
- ESP32-Fuzzing-Framework: A Fuzzing Framework for ESP32 applications
- Fuzzbench: Fuzzer Benchmarking As a Service
- rumpsyscallfuzz: NetBSD Rump Kernel fuzzing
- libnbd: fuzzing libnbd with honggfuzz
- EnsmallenGraph: Rust library to run node2vec-like weighted random walks on very big graphs
- Oasis Core
- bp7-rs: Rust implementation of dtn bundle protocol 7
- WHATWG: URL C++ library
- Xaya Core / Chimera: A decentralized open source information registration and transfer system
- OpenWRT: A Linux operating system targeting embedded devices
- RcppDeepStateTools: A Linux-specific R package, with R functions for running the DeepState test harness
- Materialize: A streaming database for real-time applications
- Rust-Bitcoin
- Substrate: A next-generation framework for blockchain innovation
- Solana: A fast, secure, and censorship resistant blockchain
- fwupd: A project that aims to make updating firmware on Linux automatic, safe and reliable
- polkadot: Implementation of a https://polkadot.network node in Rust based on the Substrate framework
- P0: Fuzzing ImageIO
- Rust's fuzztest
Contact
- User mailing list: [email protected], sign up with this link.
This is NOT an official Google product