Skip to content
Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based)
C Makefile Python C++ Other
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
android android: fix libcommon->libhfcommon references Jan 7, 2018
docs Update Jul 11, 2019
examples examples/bind: patch for 9.15.2 Aug 2, 2019
hfuzz_cc hfuzz-cc: disable -lrt linking for OpenBSD Sep 4, 2019
includes Includes/Libs: rename directories to the 'hf' prefix, so it doesn't c… Jan 5, 2018
libhfcommon libhfuzz/files: prefault the mmap'd memory Sep 16, 2019
libhfnetdriver libhfcommon/files: remove unneeded copyFile Sep 13, 2019
libhfuzz libhfcommon/files: implement files_getTmpMapFlags and make it used Sep 16, 2019
linux linux/arch: adjust oom score for fuzzed tasks Sep 12, 2019
mac No need to use a special signal to emulate SIGUSR1 Sep 3, 2019
netbsd No need to use a special signal to emulate SIGUSR1 Sep 3, 2019
posix posix/arch: sigwait for sigtimedwait for openbsd Sep 4, 2019
qemu_mode qemu_mode: initial support Aug 19, 2019
socketfuzzer fix for #253 Jun 8, 2019
third_party android: use ANDROID_API=26 by default, and use -D__ANDROID_API__=$AN… Dec 15, 2017
tools Grammar & typos May 6, 2016
.gitignore hfuzz: add links Jan 10, 2018
.gitmodules [Android] libunwind default to master Oct 17, 2016
CHANGELOG changelog - tabs/spaces May 22, 2019
COPYING Init Oct 14, 2010
Dockerfile fix Dockerfile Apr 8, 2018
Makefile libhfcommon/files: implement files_getTmpMapFlags and make it used Sep 16, 2019 Readme Sep 15, 2019
arch.h Update copyright/authors headers Feb 27, 2018
cmdline.c No need to use a special signal to emulate SIGUSR1 Sep 3, 2019
cmdline.h cmdline: more work on envs Nov 20, 2018
display.c display: fix percentage display #2 Aug 29, 2019
display.h display: support for SIGWINCH Aug 26, 2019
fuzz.c fuzz: no need to reset run->dynamicFileSz Sep 5, 2019
fuzz.h fuzz: don't wait for threads with pthread_join Feb 17, 2019
honggfuzz.c Merge pull request #273 from neuracr/fix_rss Sep 4, 2019
honggfuzz.h subproc: allow to use ___FILE___ and -s with persistent mode Aug 27, 2019
input.c input: fix debug log Sep 16, 2019
input.h add support for external command mutating files which have effective … Apr 8, 2019
mangle.c mangle: merge printable and non-printable funcs Sep 2, 2019
mangle.h mangle: simplify printable/non-printable mangling logic Dec 31, 2018
report.c subproc: use TEMP_FAILURE_RETRY with some restartable funcs Apr 17, 2019
report.h Update copyright/authors headers Feb 27, 2018
sanitizers.c ALL: remove -p (pid), simplify the subproc state machine. NetBSD will… Jan 30, 2019
sanitizers.h sancov: remove, since it's old (clang-4), slower, and requires comple… Aug 23, 2018
screenshot-honggfuzz-1.png updated screenshot Jan 18, 2018
socketfuzzer.c make indent depend Jun 10, 2019
socketfuzzer.h make indent depend Jan 21, 2018
subproc.c honggfuzz: map feedback struct unconditionally Aug 28, 2019
subproc.h subproc: allow to specify whether a thread should be joinable Feb 21, 2019



A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for the description of command-line options.

  • It's multi-process and multi-threaded: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single supervising process. The file corpus is automatically shared and improved between the fuzzing threads and fuzzed processes.
  • It's blazingly fast when in the persistent fuzzing mode). A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K)
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program)
  • Easy-to-use, feed it a simple corpus directory (can even be empty) and it will work its way up expanding it utilizing feedback-based coverage metrics
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods known from other fuzzers (libfuzzer, afl)
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found here
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)



  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-4.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-3.6 or newer (clang-devel/4.0 suggested)
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)


Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing Honggfuzz


The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache HTTPD web server.


This is NOT an official Google product

You can’t perform that action at this time.