All Projects → rust-fuzz → Honggfuzz Rs

rust-fuzz / Honggfuzz Rs

Licence: other
Fuzz your Rust code with Google-developed Honggfuzz !

Programming Languages

rust
11053 projects

Projects that are alternatives of or similar to Honggfuzz Rs

Libdiffuzz
Custom memory allocator that helps discover reads from uninitialized memory
Stars: ✭ 147 (-33.78%)
Mutual labels:  security-tools, security-testing, fuzzing, fuzz-testing
Syzkaller
syzkaller is an unsupervised coverage-guided kernel fuzzer
Stars: ✭ 3,841 (+1630.18%)
Mutual labels:  security-tools, fuzzing, fuzzer, fuzz-testing
Aflplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
Stars: ✭ 2,319 (+944.59%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Ansvif
A Not So Very Intelligent Fuzzer: An advanced fuzzing framework designed to find vulnerabilities in C/C++ code.
Stars: ✭ 107 (-51.8%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
fuzzuf
Fuzzing Unification Framework
Stars: ✭ 263 (+18.47%)
Mutual labels:  fuzzing, fuzz-testing, fuzzer
Fisy Fuzz
This is the full file system fuzzing framework that I presented at the Hack in the Box 2020 Lockdown Edition conference in April.
Stars: ✭ 110 (-50.45%)
Mutual labels:  security-tools, fuzzing, fuzzer
Fuzzdicts
Web Pentesting Fuzz 字典,一个就够了。
Stars: ✭ 4,013 (+1707.66%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Example Go
Go Fuzzit Example
Stars: ✭ 39 (-82.43%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Sharpfuzz
AFL-based fuzz testing for .NET
Stars: ✭ 185 (-16.67%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Pythonfuzz
coverage guided fuzz testing for python
Stars: ✭ 175 (-21.17%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Jsfuzz
coverage guided fuzz testing for javascript
Stars: ✭ 532 (+139.64%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Javafuzz
coverage guided fuzz testing for java
Stars: ✭ 193 (-13.06%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Gramfuzz
gramfuzz is a grammar-based fuzzer that lets one define complex grammars to generate text and binary data formats.
Stars: ✭ 209 (-5.86%)
Mutual labels:  fuzzing, fuzzer
Clusterfuzz Tools
Bugs are inevitable. Suffering is optional.
Stars: ✭ 111 (-50%)
Mutual labels:  fuzzing, fuzzer
Fuzzing Survey
The Art, Science, and Engineering of Fuzzing: A Survey
Stars: ✭ 116 (-47.75%)
Mutual labels:  fuzzing, fuzzer
Snodge
Randomly mutate JSON, XML, HTML forms, text and binary data for fuzz testing
Stars: ✭ 121 (-45.5%)
Mutual labels:  fuzzing, fuzz-testing
Janus
Janus: a state-of-the-art file system fuzzer on Linux
Stars: ✭ 139 (-37.39%)
Mutual labels:  fuzzing, fuzzer
Crlf Injection Scanner
Command line tool for testing CRLF injection on a list of domains.
Stars: ✭ 91 (-59.01%)
Mutual labels:  fuzzing, fuzzer
Sienna Locomotive
A user-friendly fuzzing and crash triage tool for Windows
Stars: ✭ 130 (-41.44%)
Mutual labels:  fuzzing, fuzzer
Fuzzit
CLI to integrate continuous fuzzing with Fuzzit
Stars: ✭ 220 (-0.9%)
Mutual labels:  fuzzing, fuzz-testing

honggfuzz-rs Build Status Crates.io Documentation

Fuzz your Rust code with Google-developed Honggfuzz !

Documentation

asciicast

About Honggfuzz

Honggfuzz is a security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based).

Compatibility

  • Rust: stable, beta, nightly
  • OS: GNU/Linux, macOS, FreeBSD, NetBSD, Android, WSL (Windows Subsystem for Linux)
  • Arch: x86_64, x86, arm64-v8a, armeabi-v7a, armeabi
  • Sanitizer: none, address, thread, leak

Dependencies

Linux

  • C compiler: cc
  • GNU Make: make
  • GNU Binutils development files for the BFD library: libbfd.h
  • libunwind development files: libunwind.h
  • Blocks runtime library (when compiling with clang)
  • liblzma development files

For example on Debian and its derivatives:

sudo apt install build-essential binutils-dev libunwind-dev libblocksruntime-dev liblzma-dev

How to use this crate

Install honggfuzz commands to build with instrumentation and fuzz

# installs hfuzz and honggfuzz subcommands in cargo
cargo install honggfuzz

Add to your dependencies

[dependencies]
honggfuzz = "0.5"

Create a target to fuzz

use honggfuzz::fuzz;

fn main() {
    // Here you can parse `std::env::args and
    // setup / initialize your project

    // You have full control over the loop but
    // you're supposed to call `fuzz` ad vitam aeternam
    loop {
        // The fuzz macro gives an arbitrary object (see `arbitrary crate`)
        // to a closure-like block of code.
        // For performance reasons, it is recommended that you use the native type
        // `&[u8]` when possible.
        // Here, this slice will contain a "random" quantity of "random" data.
        fuzz!(|data: &[u8]| {
            if data.len() != 3 {return}
            if data[0] != b'h' {return}
            if data[1] != b'e' {return}
            if data[2] != b'y' {return}
            panic!("BOOM")
        });
    }
}

Fuzz for fun and profit !

# builds with fuzzing instrumentation and then fuzz the "example" target
cargo hfuzz run example

Once you got a crash, replay it easily in a debug environment

# builds the target in debug mode and replays automatically the crash in rust-lldb
cargo hfuzz run-debug example hfuzz_workspace/*/*.fuzz

You can also build and run your project without compile-time software instrumentation (LLVM's SanCov passes)

This allows you for example to try hardware-only feedback driven fuzzing:

# builds without fuzzing instrumentation and then fuzz the "example" target using hardware-based feedback
HFUZZ_RUN_ARGS="--linux_perf_ipt_block --linux_perf_instr --linux_perf_branch" cargo hfuzz run-no-instr example

Clean

# a wrapper on "cargo clean" which cleans the fuzzing_target directory
cargo hfuzz clean

Version

cargo hfuzz version

Environment variables

RUSTFLAGS

You can use RUSTFLAGS to send additional arguments to rustc.

For instance, you can enable the use of LLVM's sanitizers. This is a recommended option if you want to test your unsafe rust code but it will have an impact on performance.

RUSTFLAGS="-Z sanitizer=address" cargo hfuzz run example

HFUZZ_BUILD_ARGS

You can use HFUZZ_BUILD_ARGS to send additional arguments to cargo build.

HFUZZ_RUN_ARGS

You can use HFUZZ_RUN_ARGS to send additional arguments to honggfuzz. See USAGE for the list of those.

For example:

# 1 second of timeout
# use 12 fuzzing thread
# be verbose
# stop after 1000000 fuzzing iteration
# exit upon crash
HFUZZ_RUN_ARGS="-t 1 -n 12 -v -N 1000000 --exit_upon_crash" cargo hfuzz run example

HFUZZ_DEBUGGER

By default we use rust-lldb but you can change it to rust-gdb, gdb, /usr/bin/lldb-7 ...

CARGO_TARGET_DIR

Target compilation directory, defaults to hfuzz_target to not clash with cargo build's default target directory.

HFUZZ_WORKSPACE

Honggfuzz working directory, defaults to hfuzz_workspace.

HFUZZ_INPUT

Honggfuzz input files (also called "corpus"), defaults to $HFUZZ_WORKSPACE/{TARGET}/input.

Conditional compilation

Sometimes, it is necessary to make some specific adaptation to your code to yield a better fuzzing efficiency.

For instance:

  • Make you software behavior as much as possible deterministic on the fuzzing input
    • PRNGs must be seeded with a constant or the fuzzer input
    • Behavior shouldn't change based on the computer's clock.
    • Avoid potential undeterministic behavior from racing threads.
    • ...
  • Never ever call std::process::exit().
  • Disable logging and other unnecessary functionnalities.
  • Try to avoid modifying global state when possible.
  • Do not set up your own panic hook when run with cfg(fuzzing)

When building with cargo hfuzz, the argument --cfg fuzzing is passed to rustc to allow you to condition the compilation of thoses adaptations thanks to the cfg macro like so:

#[cfg(fuzzing)]
let mut rng = rand_chacha::ChaCha8Rng::from_seed(&[0]);
#[cfg(not(fuzzing))]
let mut rng = rand::thread_rng();

Also, when building in debug mode, the fuzzing_debug argument is added in addition to fuzzing.

For more information about conditional compilation, please see the reference.

Relevant documentation about honggfuzz

About Rust fuzzing

There is other projects providing Rust fuzzing support at github.com/rust-fuzz.

You'll find support for AFL and LLVM's LibFuzzer and there is also a trophy case ;-) .

This crate was inspired by those projects!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].