cmdline: undeprecate --sanitizers
For POSIX systems, we rely on sanitizer support to handle signals
such as SIGSEGV and dump the corresponding log so that sanitizer
log can be parsed and the stack hash can be calculated.
1 file changed
tree: 35d56c8bcce041ba75ddb6858ef75ecb337594a6
- android/
- docs/
- examples/
- hfuzz_cc/
- includes/
- libhfcommon/
- libhfnetdriver/
- libhfuzz/
- linux/
- mac/
- netbsd/
- patches/
- posix/
- qemu_mode/
- socketfuzzer/
- third_party/
- tools/
- .clang-format
- .clangd
- .gitattributes
- .gitignore
- .gitmodules
- arch.h
- CHANGELOG
- cmdline.c
- cmdline.h
- CONTRIBUTING.md
- COPYING
- display.c
- display.h
- Dockerfile
- fuzz.c
- fuzz.h
- honggfuzz.c
- honggfuzz.h
- input.c
- input.h
- Makefile
- mangle.c
- mangle.h
- README.md
- report.c
- report.h
- sanitizers.c
- sanitizers.h
- screenshot-honggfuzz-1.png
- socketfuzzer.c
- socketfuzzer.h
- subproc.c
- subproc.h
README.md
Honggfuzz
Description
A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.
Code
Installation
sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang
make
Features
- It‘s multi-process and multi-threaded: there’s no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single running instance. The file corpus is automatically shared and improved between all fuzzed processes.
- It's blazingly fast when the persistent fuzzing mode is used. A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K).
- Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date.
- Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).
- Easy-to-use, feed it a simple corpus directory (can even be empty for the feedback-driven fuzzing), and it will work its way up, expanding it by utilizing feedback-based coverage metrics.
- Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing modes. Also, see the new qemu mode for blackbox binary fuzzing.
- Works (at least) under GNU/Linux, FreeBSD, NetBSD, Mac OS X, Windows/CygWin and Android.
- Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly). More on that can be found here.
- It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache HTTPS, OpenSSL, libjpeg etc.).
- Provides a corpus minimization mode.
Requirements
- Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev), clang-5.0 or higher for software-based coverage modes
- FreeBSD - gmake, clang-5.0 or newer
- NetBSD - gmake, clang, capstone, libBlocksRuntime
- Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
- Windows - CygWin
- Darwin/OS X - Xcode 10.8+
- if Clang/LLVM is used to compile honggfuzz - link it with the BlocksRuntime Library (libblocksruntime-dev)
Trophies
Honggfuzz has been used to find a few interesting security problems in major software packages; An incomplete list:
- Dozens of security problems via the OSS-Fuzz project
- Pre-auth remote crash in OpenSSH
- Apache HTTPD
- Various SSL libs
- Adobe Flash memory corruption • CVE-2015-0316
- Multiple bugs in the libtiff library
- Multiple bugs in the librsvg library
- Multiple bugs in the poppler library
- Multiple exploitable bugs in IDA-Pro
- Remote DoS in Crypto++ • CVE-2016-9939
- Programming language interpreters
- Double-free in LibXMP
- Heap buffer overflow in SAPCAR • CVE-2017-8852
- Crashes in libbass
- FreeType 2:
- Stack corruption issues in the Windows OpenType parser: #1, #2, #3
- Infinite loop in NGINX Unit
- A couple of problems in the MATLAB MAT File I/O Library: #1, #2, #3, #4, #5
- NASM #1, #2, #3, #4, #5, #6, #7, #8, #9, #10
- Samba tdbdump + tdbtool, #2, #3, #4, #5, #6 CVE-2019-14907 CVE-2020-10745 CVE-2021-20277 LPRng_time
- Crash in djvulibre
- Multiple crashes in VLC
- Buffer overflow in ClassiCube
- Heap buffer-overflow (or UAF) in MPV
- Heap buffer-overflow in picoc
- Crashes in OpenCOBOL: #1, #2
- DoS in ProFTPD: #1 • #2
- Multiple security problems in ImageIO (iOS/MacOS)
- Memory corruption in htmldoc
- Memory corruption in OpenDetex
- Memory corruption in Yabasic
- Memory corruption in Xfig
- Memory corruption in LibreOffice
- Memory corruption in ATasm
- Memory corruption in oocborrt • CVE-2020-24753
- Memory corruption in LibRaw
- NULL-ptr deref in peg-markdown
- Uninitialized value in MD4C • CVE-2020-26148
- 17 new bugs in fwupd
- Assertion in libvips
- [Crash in libocispec)(https://github.com/containers/libocispec/commit/6079cd9490096cfb46752bd7491c71253418a02c)
- Rust:
- panic() in regex #1, #2, #3
- panic() in h2 #1, #2, #3
- panic() in sleep-parser #1
- panic() in lewton #1
- panic()/DoS in Ethereum-Parity #1
- crash() in Parts - a GPT partition manager #1
- crashes in rust-bitcoin/rust-lightning #1
- ... and more
Projects utilizing or inspired-by Honggfuzz
Contact
This is NOT an official Google product
