Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based)
Clone or download
Permalink
Failed to load latest commit information.
android android: fix libcommon->libhfcommon references Jan 7, 2018
docs docs: remove sancov Aug 25, 2018
examples examples/apache: new version of apr Nov 4, 2018
hfuzz_cc hfuzz-cc: more clang/clang++ variations Nov 4, 2018
includes Includes/Libs: rename directories to the 'hf' prefix, so it doesn't c… Jan 5, 2018
libhfcommon Merge pull request #219 from krytarowski/netbsd-3 Aug 16, 2018
libhfnetdriver libhfnetdriver: don't make files_sendToSocket fatal Nov 14, 2018
libhfuzz libhfuzz/persistent: better log message for _HF_PERSISTENT_FD readFromFd Jul 25, 2018
linux linux/pt: better ranges for PT Oct 31, 2018
mac sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
netbsd sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
posix sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
socketfuzzer Fix socketfuzzer test code for interactive mode Oct 17, 2018
third_party android: use ANDROID_API=26 by default, and use -D__ANDROID_API__=$AN… Dec 15, 2017
tools Grammar & typos May 6, 2016
.gitignore hfuzz: add links Jan 10, 2018
.gitmodules [Android] libunwind default to master Oct 17, 2016
CHANGELOG Changelog for 1.7 Aug 23, 2018
CONTRIBUTING Added CONTRIBUTING Aug 20, 2015
COPYING Init Oct 14, 2010
Dockerfile fix Dockerfile Apr 8, 2018
Makefile Merge pull request #228 from devnexen/netbsd_linker_flags_fix Oct 11, 2018
README.md Readme Sep 4, 2018
arch.h Update copyright/authors headers Feb 27, 2018
cmdline.c netdriver: Allow to set hfuzz->exe.netDriver explicitly Nov 12, 2018
cmdline.h Includes/Libs: rename directories to the 'hf' prefix, so it doesn't c… Jan 5, 2018
display.c Merge branch 'master' of ssh://github.com/google/honggfuzz Oct 18, 2018
display.h Update copyright/authors headers Feb 27, 2018
fuzz.c sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
fuzz.h Update copyright/authors headers Feb 27, 2018
honggfuzz.c honggfuzz: better exit loop Oct 12, 2018
honggfuzz.h netdriver: Allow to set hfuzz->exe.netDriver explicitly Nov 12, 2018
input.c detect 'only-printable' inside input_setSize to reduce modifications Aug 6, 2018
input.h Update copyright/authors headers Feb 27, 2018
mangle.c perf: check if perf is actually active when counting it Aug 14, 2018
mangle.h Add mangle functions for printable inputs Jul 31, 2018
report.c Handle NetBSD in generic code switches Aug 18, 2018
report.h Update copyright/authors headers Feb 27, 2018
sanitizers.c sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
sanitizers.h sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
screenshot-honggfuzz-1.png updated screenshot Jan 18, 2018
socketfuzzer.c support for multiple parallel honggfuzz processes in socketfuzzer mode Apr 14, 2018
socketfuzzer.h make indent depend Jan 21, 2018
subproc.c netdriver: Allow to set hfuzz->exe.netDriver explicitly Nov 12, 2018
subproc.h Update copyright/authors headers Feb 27, 2018

README.md

honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for the description of command-line options.

  • It's multi-process and multi-threaded: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single supervising process. The file corpus is automatically shared and improved between the fuzzing threads and fuzzed processes.
  • It's blazingly fast when in the persistent fuzzing mode). A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K)
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program)
  • Easy-to-use, feed it a simple corpus directory (can even be empty) and it will work its way up expanding it utilizing feedback-based coverage metrics
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods known from other fuzzers (libfuzzer, afl)
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found here
  • Can fuzz remote/standalone long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind), though the persistent fuzzing mode is suggested instead: as it's faster and multiple instances of a service can be fuzzed with this
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)


Code

Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing Honggfuzz

Examples

The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache HTTPD web server.

Other

This is NOT an official Google product