google/honggfuzzPublic

NotificationsYou must be signed in to change notification settings
Fork534
Star3.3k

Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)

License

Apache-2.0 license

3.3k stars 534 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 4,172 Commits
android		android
docs		docs
examples		examples
hfuzz_cc		hfuzz_cc
includes		includes
libhfcommon		libhfcommon
libhfnetdriver		libhfnetdriver
libhfuzz		libhfuzz
linux		linux
mac		mac
netbsd		netbsd
patches		patches
posix		posix
qemu_mode		qemu_mode
socketfuzzer		socketfuzzer
third_party		third_party
tools		tools
.clang-format		.clang-format
.clangd		.clangd
.gitattributes		.gitattributes
.gitignore		.gitignore
.gitmodules		.gitmodules
CHANGELOG		CHANGELOG
CONTRIBUTING.md		CONTRIBUTING.md
COPYING		COPYING
Dockerfile		Dockerfile
Makefile		Makefile
README.md		README.md
arch.h		arch.h
cmdline.c		cmdline.c
cmdline.h		cmdline.h
dict.c		dict.c
dict.h		dict.h
display.c		display.c
display.h		display.h
fuzz.c		fuzz.c
fuzz.h		fuzz.h
honggfuzz.c		honggfuzz.c
honggfuzz.h		honggfuzz.h
input.c		input.c
input.h		input.h
mangle.c		mangle.c
mangle.h		mangle.h
power.c		power.c
power.h		power.h
report.c		report.c
report.h		report.h
sanitizers.c		sanitizers.c
sanitizers.h		sanitizers.h
screenshot-honggfuzz-1.png		screenshot-honggfuzz-1.png
socketfuzzer.c		socketfuzzer.c
socketfuzzer.h		socketfuzzer.h
subproc.c		subproc.c
subproc.h		subproc.h

Repository files navigation

Honggfuzz

A security-oriented, feedback-driven, evolutionary fuzzer.

Honggfuzz is a general-purpose fuzzer that uses code coverage (software and hardware-based) to find bugs. It is multi-process, multi-threaded, and supports persistent fuzzing for extreme speed.

Key Features

Fast: Multi-process and multi-threaded engine. unlocking full CPU potential.
Persistent Fuzzing: Test APIs directly in-process with iteration speeds up to 1M/sec.
Feedback-Driven: Uses hardware (Intel BTS/PT) and software code coverage to evolve inputs.
Easy: Can start with an empty corpus and automatically build a valid input set.
Deep Monitoring: Uses low-level APIs (ptrace) to detect hijacked signals and hidden crashes.
Broad Support: Linux, macOS, Android, NetBSD, FreeBSD, and Windows (Cygwin).

Installation

Dependencies

Linux (Ubuntu/Debian)

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang

macOSRequiresXcode (10.8+) andlibblocksruntime.

Build

make# Compilation wrappers are created in hfuzz_cc/

Usage

1. Compile Target

Use the provided compiler wrappers to automatically add instrumentation:

# C code./hfuzz_cc/hfuzz-clang -o my_target my_target.c# C++ code./hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp

2. Run Fuzzer

Point it to an input corpus directory (can be empty) and your binary:

# Basic run./honggfuzz -i input_dir/ -- ./my_target ___FILE___# Persistent mode (faster)./honggfuzz -P -i input_dir/ -- ./my_target

Note:___FILE___ is a placeholder for the input filename generated by honggfuzz.

For advanced examples (Apache, OpenSSL, BIND, etc.), check theexamples/ directory.

SeeUSAGE.md for detailed options.

Trophies

Honggfuzz has discovered major security vulnerabilities in critical software.

HTTP & Servers

Apache HTTPD:
- CVE-2017-7659 (mod_http2 remote crash)
- CVE-2017-9789 (Use-after-free)
- CVE-2018-1301, CVE-2018-1302, CVE-2018-1303
OpenSSH: Pre-auth remote crash (commit 28652bca)
BIND: Multiple bugs
NGINX Unit: Infinite loop
ProFTPD: CVE-2019-18217 (DoS)
Samba: CVE-2019-14907, CVE-2020-10745, CVE-2021-20277

Cryptography & SSL

OpenSSL:
- CVE-2016-6309 (Critical, Potential RCE)
- CVE-2015-1789, CVE-2016-7054, CVE-2017-3731
LibreSSL: Multiple crashes and invalid frees
BoringSSL: Uninitialized memory use
Crypto++: CVE-2016-9939 (Remote DoS)