Skip to content

Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)

License

Notifications You must be signed in to change notification settings

google/honggfuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

974db6a · Jan 7, 2025
Jan 1, 2022
Apr 17, 2022
Dec 1, 2021
Jul 21, 2024
Jan 5, 2018
Jan 7, 2025
Sep 17, 2023
Jul 20, 2024
Oct 4, 2023
Sep 25, 2023
Sep 25, 2023
Aug 25, 2021
Dec 6, 2023
May 11, 2020
Sep 25, 2023
Jan 2, 2022
Feb 15, 2021
Sep 25, 2023
Oct 9, 2023
Mar 24, 2020
Jan 10, 2018
Jan 1, 2022
Sep 21, 2023
Apr 24, 2020
Oct 14, 2010
May 12, 2020
Dec 20, 2023
Nov 16, 2024
Nov 22, 2022
Nov 18, 2023
May 5, 2020
Sep 25, 2023
Aug 26, 2019
Jul 20, 2024
May 5, 2020
Sep 15, 2023
Jul 11, 2024
Jul 20, 2024
Jul 20, 2024
Jul 11, 2024
Jul 11, 2024
Oct 19, 2021
May 5, 2020
Feb 16, 2022
May 5, 2020
Jan 18, 2018
Aug 1, 2021
Apr 29, 2020
Jan 7, 2025
May 5, 2020

Honggfuzz

Description

A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.

Code

Installation

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang
make

Features

  • It's multi-process and multi-threaded: there's no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
  • It's blazingly fast when the persistent fuzzing mode is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
  • Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
  • Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
  • Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
  • Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
  • Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
  • Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
  • It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
  • Provides a corpus minimization mode.


Requirements

  • Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
  • FreeBSD - gmake, clang-5.0 or newer
  • NetBSD - gmake, clang, capstone, libBlocksRuntime
  • Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
  • Windows - CygWin
  • Darwin/OS X - Xcode 10.8+
  • if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)

Trophies

Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:

Projects utilizing or inspired-by Honggfuzz

Contact

This is NOT an official Google product

About

Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published