Home>Programming related>C# source code
Download

Honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.

Code

  • Latest stable version: 2.6

  • Changelog

Installation

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang
make

Features

  • It's multi-process and multi-threaded: there's no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.

  • It's blazingly fast when the persistent fuzzing mode is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).

  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.

  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).

  • Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.

  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.

  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.

  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.

  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).

  • Provides a corpus minimization mode.


Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes

  • FreeBSD - gmake, clang-5.0 or newer

  • NetBSD - gmake, clang, capstone, libBlocksRuntime

  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it

  • Windows - CygWin

  • Darwin/OS X - Xcode 10.8+

  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

  • Dozens of security problems via the OSS-Fuzz project

  • Pre-auth remote crash in OpenSSH

  • Apache HTTPD

    • Remote crash in mod_http2 • CVE-2017-7659

    • Use-after-free in mod_http2 • CVE-2017-9789

    • Memory leak in mod_auth_digest • CVE-2017-9788

    • Out of bound access • CVE-2018-1301

    • Write after free in HTTP/2 • CVE-2018-1302

    • Out of bound read • CVE-2018-1303

  • Various SSL libs

    • Remote OOB read in OpenSSL • CVE-2015-1789

    • Remote Use-after-Free (potential RCE, rated as critical) in OpenSSL • CVE-2016-6309

    • Remote OOB write in OpenSSL • CVE-2016-7054

    • Remote OOB read in OpenSSL • CVE-2017-3731

    • Uninitialized mem use in OpenSSL

    • Crash in LibreSSL

    • Invalid free in LibreSSL

    • Uninitialized mem use in BoringSSL

  • Adobe Flash memory corruption • CVE-2015-0316

  • Multiple bugs in the libtiff library

  • Multiple bugs in the librsvg library

  • Multiple bugs in the poppler library

  • Multiple exploitable bugs in IDA-Pro

  • Remote DoS in Crypto++ • CVE-2016-9939

  • Programming language interpreters

    • PHP/Python/Ruby

    • PHP WDDX

    • PHP

    • Perl: #1, #2, #3

  • Double-free in LibXMP

  • Heap buffer overflow in SAPCAR • CVE-2017-8852

  • Crashes in libbass

  • FreeType 2:

    • CVE-2010-2497

    • CVE-2010-2498

    • CVE-2010-2499

    • CVE-2010-2500

    • CVE-2010-2519

    • CVE-2010-2520

    • CVE-2010-2527

  • Stack corruption issues in the Windows OpenType parser: #1, #2, #3

  • Infinite loop in NGINX Unit

  • A couple of problems in the MATLAB MAT File I/O Library: #1, #2, #3, #4, #5

  • NASM #1, #2, #3, #4,  #5, #6, #7, #8, #9, #10

  • Samba tdbdump + tdbtool, #2, #3, #4, #5, #6 CVE-2019-14907 CVE-2020-10745 CVE-2021-20277 LPRng_time

  • Crash in djvulibre

  • Multiple crashes in VLC

  • Buffer overflow in ClassiCube

  • Heap buffer-overflow (or UAF) in MPV

  • Heap buffer-overflow in picoc

  • Crashes in OpenCOBOL: #1, #2

  • DoS in ProFTPD: #1 • #2

  • Multiple security problems in ImageIO (iOS/MacOS)

  • Memory corruption in htmldoc

  • Memory corruption in OpenDetex

  • Memory corruption in Yabasic

  • Memory corruption in Xfig

  • Memory corruption in LibreOffice

  • Memory corruption in ATasm

  • Memory corruption in oocborrt • CVE-2020-24753

  • Memory corruption in LibRaw

  • NULL-ptr deref in peg-markdown

  • Uninitialized value in MD4C • CVE-2020-26148

  • 17 new bugs in fwupd

  • Assertion in libvips

  • [Crash in libocispec)(https://github.com/containers/libocispec/commit/6079cd9490096cfb46752bd7491c71253418a02c)

  • Rust:

    • panic() in regex #1, #2, #3

    • panic() in h2 #1, #2, #3

    • panic() in sleep-parser #1

    • panic() in lewton #1

    • panic()/DoS in Ethereum-Parity #1

    • crash() in Parts - a GPT partition manager #1

    • crashes in rust-bitcoin/rust-lightning #1

  • ... and more

Projects utilizing or inspired-by Honggfuzz

  • QuickFuzz by CIFASIS

  • OSS-Fuzz

  • Frog And Fuzz

  • interpreters fuzzing: by dyjakan

  • riufuzz: honggfuzz with AFL-like UI

  • h2fuzz: fuzzing Apache's HTTP/2 implementation

  • honggfuzz-dharma: honggfuzz with dharma grammar fuzzer

  • Owl: a system for finding concurrency attacks

  • honggfuzz-docker-apps

  • FFW: Fuzzing For Worms

  • honggfuzz-rs: fuzzing Rust with Honggfuzz

  • roughenough-fuzz

  • Monkey: a HTTP server

  • Killerbeez API: a modular fuzzing framework

  • FuzzM: a gray box model-based fuzzing framework

  • FuzzOS: by Mozilla Security

  • Android: by OHA

  • QDBI: by Quarkslab

  • fuzzer-test-suite: by Google

  • DeepState: by Trail-of-Bits

  • Quiche-HTTP/3: by Cloudflare

  • Bolero: fuzz and property testing framework

  • pwnmachine: a vagrantfile for exploit development on Linux

  • Quick700: analyzing effectiveness of fuzzers on web browsers and web servers

  • python-hfuzz: gluing honggfuzz and python3

  • go-hfuzz: gluing honggfuzz and go

  • Magma: a ground-truth fuzzing benchmark

  • arbitrary-model-tests: a procedural macro for testing stateful models

  • Clusterfuzz: the fuzzing engine behind OSS-fuzz/Chrome-fuzzing

  • Apache HTTP Server

  • centos-fuzz

  • FLUFFI: Fully Localized Utility For Fuzzing Instantaneously by Siemens

  • Fluent Bit: a fast log processor and forwarder for Linux

  • Samba: a SMB server

  • universal-fuzzing-docker: by nnamon

  • Canokey Core: core implementations of an open-source secure key

  • uberfuzz2: a cooperative fuzzing framework

  • TiKV: a distributed transactional key-value database

  • fuzz-monitor

  • libmutator: a C library intended to generate random test cases by mutating legitimate test cases

  • StatZone: a DNS zone file analyzer

  • shub-fuzz/honggfuzz: singularity image for honggfuzz

  • Code Intelligence: fuzzing-as-a-service

  • SpecFuzz: fuzzing for Spectre vulnerabilities

  • rcc: a Rust C compiler

  • EIP1962Fuzzing: Fuzzy testing of various EIP1962 implementations

  • wasm-fuzz: Fuzzing of wasmer, blog post

  • propfuzz: Rust tools to combine coverage-guided fuzzing with property-based testing - from Facebook

  • Bitcoin Core: fuzzing

  • ESP32-Fuzzing-Framework: A Fuzzing Framework for ESP32 applications

  • Fuzzbench: Fuzzer Benchmarking As a Service

  • rumpsyscallfuzz: NetBSD Rump Kernel fuzzing

  • libnbd: fuzzing libnbd with honggfuzz

  • EnsmallenGraph: Rust library to run node2vec-like weighted random walks on very big graphs

  • Oasis Core

  • bp7-rs: Rust implementation of dtn bundle protocol 7

  • WHATWG: URL C++ library

  • Xaya Core / Chimera: A decentralized open source information registration and transfer system

  • OpenWRT: A Linux operating system targeting embedded devices

  • RcppDeepStateTools: A Linux-specific R package, with R functions for running the DeepState test harness

  • Materialize: A streaming database for real-time applications

  • Rust-Bitcoin

  • Substrate: A next-generation framework for blockchain innovation

  • Solana: A fast, secure, and censorship resistant blockchain

  • fwupd: A project that aims to make updating firmware on Linux automatic, safe and reliable

  • polkadot: Implementation of a https://polkadot.network node in Rust based on the Substrate framework

  • systemd: is tested by honggfuzz

  • freetype: is tested by honggfuzz

  • ghostscript: is tested by honggfuzz

  • Fuzzme: fuzzing templates for programming languages and fuzzers

  • P0: Fuzzing ImageIO

    • TrapFuzz: by P0

  • Rust's fuzztest

    • and multiple Rust projects

Contact

This is NOT an official Google product

Expand
Additional Information
Related Applications
Recommended for You
Related Information All