Skip to content
A tool to enable fuzzing for Spectre vulnerabilities
C++ C Assembly Python Shell Makefile Other
Branch: master
Clone or download

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
example
install
postprocessing
src src: do not report speculative overflows within ASan RTL Feb 20, 2020
tests
LICENSE
Makefile
README.md

README.md

SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.

Have trouble using the tool? Open an issue!

The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.

Getting started

Dependencies

$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
  • HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...

Build it

$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools

Try it

Build a sample vulnerable program:

$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf

Try running it:

$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0

Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519 means that SpecFuzz detected that the instruction at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered by a misprediction of a branch at the address 0x789.

Fuzz it

Build a fuzzing driver:

$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz

Fuzzing:

$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json   # raw results of fuzzing
{
  "errors": [],
  "statistics": {
    "coverage": [
      75.0,
      6
    ],
    "branches": 6,
    "faults": 1
  },
  "branches": {
    "5443896": {
      "address": "0x531138",
      "faults": [
        "0x530a48"

Process the results:

$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json

The final, aggregated results are in aggregated.json.

Development

Testing

Tests depend on bats (Install bats).

$ cd tests
$ ./run.sh
You can’t perform that action at this time.