Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
86 lines (60 sloc) 1.68 KB

Persistent fuzzing

Honggfuzz is capable of fuzzing APIs, which is to say; to test new data within the same process. This speeds-up the process of fuzzing APIs greatly

Requirements for hardware-based counter-based fuzzing

  • GNU/Linux or POSIX interface (e.g. FreeBSD, Windows/CygWin)


One can prepare a binary in the two following ways:


Two functions must be prepared

int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)

and (optional)

int LLVMFuzzerInitialize(int *argc, char ***argv)

Example (test.c):

int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {
	TestAPI(buf, len);
	return 0;


$ hfuzz_cc/hfuzz_clang test.c -o test


$ honggfuzz -P -- ./test

HF_ITER style

A complete program needs to be prepared, using HF_ITER symbol to obtain new inputs

Example (test.c):

#include <inttypes.h>

extern HF_ITER(uint8_t** buf, size_t* len);

int main(void) {
	for (;;) {
		size_t len;
		uint8_t *buf;

		HF_ITER(&buf, &len);

		TestAPI(buf, len);


$ hfuzz_cc/hfuzz_clang test.c -o test ~/honggfuzz/libfuzz/libfuzz.a


$ honggfuzz -P -- ./test

Feedback-driven modes

The persistent fuzzing can be easily used together with feedback-driven fuzzing. In order to achieve that, one needs to compile binary with compile-time instrumentation, or use hardware-based instrumentation (BTS, Intel PT). More can be found in this document

Example (compile-time)

$ honggfuzz -P -z -- ./test

Example (hardware-based)

$ honggfuzz -P --linux_perf_bts_edge -- ./test
$ honggfuzz -P --linux_perf_ipt_block -- ./test