|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | - | - |
| docs/ | | 03-May-2024 | - | 714 | 583 |
| examples/ | | 03-May-2024 | - | 564,295 | 392,349 |
| hfuzz_cc/ | | 03-May-2024 | - | 457 | 378 |
| includes/ | | 03-May-2024 | - | | |
| libhfcommon/ | | 03-May-2024 | - | 1,876 | 1,382 |
| libhfnetdriver/ | | 03-May-2024 | - | 380 | 286 |
| libhfuzz/ | | 03-May-2024 | - | 1,068 | 750 |
| linux/ | | 03-May-2024 | - | 3,159 | 2,236 |
| mac/ | | 03-May-2024 | - | 789 | 476 |
| netbsd/ | | 03-May-2024 | - | 1,119 | 704 |
| posix/ | | 03-May-2024 | - | 285 | 194 |
| socketfuzzer/ | | 03-May-2024 | - | 608 | 465 |
| third_party/ | | 03-May-2024 | - | 1,016 | 583 |
| tools/ | | 03-May-2024 | - | 161 | 116 |
| .gitignore | D | 03-May-2024 | 222 | 17 | 16 |
| Android.bp | D | 03-May-2024 | 2 KiB | 108 | 85 |
| CHANGELOG | D | 03-May-2024 | 6.1 KiB | 129 | 110 |
| CONTRIBUTING | D | 03-May-2024 | 1.4 KiB | 25 | 21 |
| COPYING | D | 03-May-2024 | 11.1 KiB | 203 | 169 |
| Dockerfile | D | 03-May-2024 | 342 | 18 | 13 |
| LICENSE | D | 03-May-2024 | 11.1 KiB | 203 | 169 |
| METADATA | D | 03-May-2024 | 415 | 20 | 19 |
| MODULE_LICENSE_APACHE2 | D | 03-May-2024 | 0 | | |
| Makefile | D | 03-May-2024 | 19.6 KiB | 473 | 379 |
| NOTICE | D | 03-May-2024 | 11.1 KiB | 203 | 169 |
| OWNERS | D | 03-May-2024 | 162 | 5 | 4 |
| README.md | D | 03-May-2024 | 10.8 KiB | 131 | 109 |
| arch.h | D | 03-May-2024 | 1.1 KiB | 44 | 11 |
| cmdline.c | D | 03-May-2024 | 28.9 KiB | 726 | 662 |
| cmdline.h | D | 03-May-2024 | 1.1 KiB | 38 | 10 |
| display.c | D | 03-May-2024 | 11.4 KiB | 303 | 237 |
| display.h | D | 03-May-2024 | 976 | 34 | 7 |
| fuzz.c | D | 03-May-2024 | 18.7 KiB | 565 | 436 |
| fuzz.h | D | 03-May-2024 | 1,019 | 37 | 9 |
| honggfuzz.c | D | 03-May-2024 | 9.9 KiB | 358 | 280 |
| honggfuzz.h | D | 03-May-2024 | 11.4 KiB | 429 | 316 |
| input.c | D | 03-May-2024 | 14.1 KiB | 456 | 370 |
| input.h | D | 03-May-2024 | 1.4 KiB | 41 | 14 |
| mangle.c | D | 03-May-2024 | 35.7 KiB | 944 | 816 |
| mangle.h | D | 03-May-2024 | 888 | 32 | 5 |
| report.c | D | 03-May-2024 | 4.2 KiB | 131 | 92 |
| report.h | D | 03-May-2024 | 866 | 32 | 5 |
| sanitizers.c | D | 03-May-2024 | 5.8 KiB | 146 | 67 |
| sanitizers.h | D | 03-May-2024 | 971 | 34 | 7 |
| screenshot-honggfuzz-1.png | D | 03-May-2024 | 576.6 KiB | | |
| socketfuzzer.c | D | 03-May-2024 | 3.7 KiB | 147 | 112 |
| socketfuzzer.h | D | 03-May-2024 | 331 | 13 | 8 |
| subproc.c | D | 03-May-2024 | 16.6 KiB | 509 | 408 |
| subproc.h | D | 03-May-2024 | 1.4 KiB | 52 | 16 |
README.md
1# honggfuzz
2
3## Description
4
5A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See [USAGE](https://github.com/google/honggfuzz/blob/master/docs/USAGE.md) for the description of command-line options.
6
7 * It's __multi-process__ and __multi-threaded__: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single supervising process. The file corpus is automatically shared and improved between the fuzzing threads and fuzzed processes.
8 * It's blazingly fast when in the [persistent fuzzing mode](https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md)). A simple/empty _LLVMFuzzerTestOneInput_ function can be tested with __up to 1mo iterations per second__ on a relatively modern CPU (e.g. i7-6700K)
9 * Has a [solid track record](#trophies) of uncovered security bugs: the __only__ (to the date) __vulnerability in OpenSSL with the [critical](https://www.openssl.org/news/secadv/20160926.txt) score mark__ was discovered by honggfuzz. See the [Trophies](#trophies) paragraph for the summary of findings to the date
10 * Uses low-level interfaces to monitor processes (e.g. _ptrace_ under Linux and NetBSD). As opposed to other fuzzers, it __will discover and report hijacked/ignored signals from crashes__ (intercepted and potentially hidden by a fuzzed program)
11 * Easy-to-use, feed it a simple corpus directory (can even be empty) and it will work its way up expanding it utilizing feedback-based coverage metrics
12 * Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, __Intel BTS__, __Intel PT__) and software-based [feedback-driven fuzzing](https://github.com/google/honggfuzz/blob/master/docs/FeedbackDrivenFuzzing.md) methods known from other fuzzers (libfuzzer, afl)
13 * Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and [Android](https://github.com/google/honggfuzz/blob/master/docs/Android.md)
14 * Supports the __persistent fuzzing mode__ (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found [here](https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md)
15 * It comes with the __[examples](https://github.com/google/honggfuzz/tree/master/examples) directory__, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)
16
17---
18
19<p align="center">
20 <img src="https://raw.githubusercontent.com/google/honggfuzz/master/screenshot-honggfuzz-1.png" width="75%" height="75%">
21</p>
22
23---
24
25## Code
26
27 * Latest stable version: [1.9](https://github.com/google/honggfuzz/releases)
28 * [Changelog](https://github.com/google/honggfuzz/blob/master/CHANGELOG)
29
30## Requirements
31
32 * **Linux** - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
33 * **FreeBSD** - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
34 * **NetBSD** - gmake, clang, capstone, libBlocksRuntime
35 * **Android** - Android SDK/NDK. Also see [this detailed doc](https://github.com/google/honggfuzz/blob/master/docs/Android.md) on how to build and run it
36 * **Windows** - CygWin
37 * **Darwin/OS X** - Xcode 10.8+
38 * if **Clang/LLVM** is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)
39
40
41## Trophies
42
43Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:
44
45 * [Pre-auth remote crash in __OpenSSH__](https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737)
46 * __Apache HTTPD__
47 * [Remote crash in __mod\_http2__ • CVE-2017-7659](http://seclists.org/oss-sec/2017/q2/504)
48 * [Use-after-free in __mod\_http2__ • CVE-2017-9789](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789)
49 * [Memory leak in __mod\_auth\_digest__ • CVE-2017-9788](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788)
50 * [Out of bound access • CVE-2018-1301](http://seclists.org/oss-sec/2018/q1/265)
51 * [Write after free in HTTP/2 • CVE-2018-1302](http://seclists.org/oss-sec/2018/q1/268)
52 * [Out of bound read • CVE-2018-1303](http://seclists.org/oss-sec/2018/q1/266)
53 * Various __SSL__ libs
54 * [Remote OOB read in __OpenSSL__ • CVE-2015-1789]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789)
55 * [Remote Use-after-Free (potential RCE, rated as __critical__) in __OpenSSL__ • CVE-2016-6309](https://www.openssl.org/news/secadv/20160926.txt)
56 * [Remote OOB write in __OpenSSL__ • CVE-2016-7054](https://www.openssl.org/news/secadv/20161110.txt)
57 * [Remote OOB read in __OpenSSL__ • CVE-2017-3731](https://www.openssl.org/news/secadv/20170126.txt)
58 * [Uninitialized mem use in __OpenSSL__](https://github.com/openssl/openssl/commit/bd5d27c1c6d3f83464ddf5124f18a2cac2cbb37f)
59 * [Crash in __LibreSSL__](https://github.com/openbsd/src/commit/c80d04452814d5b0e397817ce4ed34edb4eb520d)
60 * [Invalid free in __LibreSSL__](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.2-relnotes.txt)
61 * [Uninitialized mem use in __BoringSSL__](https://github.com/boringssl/boringssl/commit/7dccc71e08105b100c3acd56fa5f6fc1ba9b71d3)
62 * [Adobe __Flash__ memory corruption • CVE-2015-0316](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0316)
63 * [Multiple bugs in the __libtiff__ library](http://bugzilla.maptools.org/buglist.cgi?query_format=advanced;emailreporter1=1;email1=robert@swiecki.net;product=libtiff;emailtype1=substring)
64 * [Multiple bugs in the __librsvg__ library](https://bugzilla.gnome.org/buglist.cgi?query_format=advanced;emailreporter1=1;email1=robert%40swiecki.net;product=librsvg;emailtype1=substring)
65 * [Multiple bugs in the __poppler__ library](http://lists.freedesktop.org/archives/poppler/2010-November/006726.html)
66 * [Multiple exploitable bugs in __IDA-Pro__](https://www.hex-rays.com/bugbounty.shtml)
67 * [Remote DoS in __Crypto++__ • CVE-2016-9939](http://www.openwall.com/lists/oss-security/2016/12/12/7)
68 * Programming language interpreters
69 * [__PHP/Python/Ruby__](https://github.com/dyjakan/interpreter-bugs)
70 * [PHP WDDX](https://bugs.php.net/bug.php?id=74145)
71 * [PHP](https://bugs.php.net/bug.php?id=74194)
72 * [Perl](https://www.nntp.perl.org/group/perl.perl5.porters/2018/03/msg250072.html)
73 * [Double-free in __LibXMP__](https://github.com/cmatsuoka/libxmp/commit/bd1eb5cfcd802820073504c234c3f735e96c3355)
74 * [Heap buffer overflow in SAPCAR • CVE-2017-8852](https://www.coresecurity.com/blog/sapcar-heap-buffer-overflow-crash-exploit)
75 * [Crashes in __libbass__](http://seclists.org/oss-sec/2017/q4/185)
76 * __FreeType 2__:
77 * [CVE-2010-2497](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2497)
78 * [CVE-2010-2498](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2498)
79 * [CVE-2010-2499](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2499)
80 * [CVE-2010-2500](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2500)
81 * [CVE-2010-2519](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2519)
82 * [CVE-2010-2520](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2520)
83 * [CVE-2010-2527](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2527)
84 * [Infinite loop in __NGINX Unit__](https://github.com/nginx/unit/commit/477e8177b70acb694759e62d830b8a311a736324)
85 * A couple of problems in the [__MATLAB MAT File I/O Library__](https://sourceforge.net/projects/matio): [#1](https://github.com/tbeu/matio/commit/406438f497931f45fb3edf6de17d3a59a922c257), [#2](https://github.com/tbeu/matio/commit/406438f497931f45fb3edf6de17d3a59a922c257), [#3](https://github.com/tbeu/matio/commit/a55b9c2c01582b712d5a643699a13b5c41687db1), [#4](https://github.com/tbeu/matio/commit/3e6283f37652e29e457ab9467f7738a562594b6b), [#5](https://github.com/tbeu/matio/commit/783ee496a6914df68e77e6019054ad91e8ed6420)
86 * [Samba's tdbdump + tdbtool](http://seclists.org/oss-sec/2018/q2/206)
87 * [Crash in __djvulibre__](https://github.com/barak/djvulibre/commit/89d71b01d606e57ecec2c2930c145bb20ba5bbe3)
88 * __Rust__:
89 * panic() in regex [#1](https://github.com/rust-lang/regex/issues/464), [#2](https://github.com/rust-lang/regex/issues/465), [#3](https://github.com/rust-lang/regex/issues/465#issuecomment-381412816)
90 * panic() in h2 [#1](https://github.com/carllerche/h2/pull/260), [#2](https://github.com/carllerche/h2/pull/261), [#3](https://github.com/carllerche/h2/pull/262)
91 * panic() in sleep-parser [#1](https://github.com/datrs/sleep-parser/issues/3)
92 * panic() in lewton [#1](https://github.com/RustAudio/lewton/issues/27)
93 * panic()/DoS in Ethereum-Parity [#1](https://srlabs.de/bites/ethereum_dos/)
94 * ... and more
95
96## Projects utilizing Honggfuzz
97
98 * [__QuickFuzz__ by CIFASIS](http://quickfuzz.org)
99 * [__OSS-Fuzz__](https://github.com/google/oss-fuzz)
100 * [__Frog And Fuzz__](https://github.com/warsang/FrogAndFuzz/tree/develop)
101 * [dyjakan's __interpreters fuzzing__ project](https://github.com/dyjakan/interpreter-bugs)
102 * [__riufuzz__: honggfuzz with AFL-like UI](https://github.com/riusksk/riufuzz)
103 * [__h2fuzz__: fuzzing Apache's HTTP/2 implementation](https://github.com/icing/h2fuzz)
104 * [__honggfuzz-dharma__: honggfuzz with dharma grammar fuzzer](https://github.com/Sbouber/honggfuzz-dharma)
105 * [__Owl__: a system for finding concurrency attacks](https://github.com/hku-systems/owl)
106 * [__honggfuzz-docker-apps__](https://github.com/skysider/honggfuzz_docker_apps)
107 * [__FFW - Fuzzing For Worms__](https://github.com/dobin/ffw)
108 * [__honggfuzz-rs__: fuzzing Rust with Honggfuzz](https://github.com/rust-fuzz/honggfuzz-rs)
109 * [__roughenough-fuzz__](https://github.com/int08h/roughenough-fuzz)
110 * [__Rust's fuzztest__](https://docs.rs/crate/fuzztest)
111 * [__Monkey__: a HTTP server](https://github.com/monkey/monkey/blob/master/FUZZ.md)
112 * [__Killerbeez API__](https://github.com/grimm-co/killerbeez-mutators)
113 * [__FuzzM__: a gray box model-based fuzzing framework](https://github.com/collins-research/FuzzM)
114 * [__FuzzOS__: by Mozilla Security](https://github.com/MozillaSecurity/fuzzos)
115 * [__Android__: by OHA](https://android.googlesource.com/platform/external/honggfuzz)
116 * [__QDBI__: by Quarkslab](https://project.inria.fr/FranceJapanICST/files/2019/04/19-Kyoto-Fuzzing_Binaries_using_Dynamic_Instrumentation.pdf)
117
118## Examples
119
120The [examples](https://github.com/google/honggfuzz/tree/master/examples/)
121directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the
122[OpenSSL](https://github.com/google/honggfuzz/tree/master/examples/openssl)
123library and in the [Apache](https://github.com/google/honggfuzz/tree/master/examples/apache-httpd)
124HTTPD web server.
125
126## Other
127
128 * User mailing list: [honggfuzz@googlegroups.com](mailto:honggfuzz@googlegroups.com), sign up with [this link](https://groups.google.com/forum/#!forum/honggfuzz).
129
130__This is NOT an official Google product__
131