Description
A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See USAGE for details
- Supports several hardware-based (CPU) and software-based feedback-driven fuzzing methods
- It works (at least) under GNU/Linux, FreeBSD, Mac OS X, Windows/CygWin and Android
- Supports persistent modes of fuzzing (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that here
- Can fuzz remote/standalone long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind)
Code
Requirements
- Linux - The BFD library (libbfd-dev) and libunwind (libunwind-dev/libunwind8-dev)
- FreeBSD - gmake
- Android - Android SDK/NDK. Also see this detailed doc on how to build and run it
- Windows - CygWin
- Darwin/OS X - Xcode 10.8+
- if Clang/LLVM is used - the BlocksRuntime Library (libblocksruntime-dev)
Trophies
The tool has been used to find a few interesting security problems in major software packages; Examples:
- FreeType 2:
- CVE-2010-2497, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2520, CVE-2010-2527
- Multiple bugs in the libtiff library
- Multiple bugs in the librsvg library
- Multiple bugs in the poppler library
- Multiple exploitable bugs in IDA-Pro
- Adobe Flash memory corruption • CVE-2015-0316
- Pre-auth remote crash in OpenSSH
- Remote DoS in Crypto++ • CVE-2016-9939
- OpenSSL
- Remote OOB read • CVE-2015-1789
- Remote Use-after-Free (potential RCE) • CVE-2016-6309
- Remote OOB write • CVE-2016-7054
- Remote OOB read • CVE-2017-3731
- ... and more
Examples
The examples directory contains code demonstrating (among others) how to use honggfuzz to find bugs in the OpenSSL library and in the Apache web server.
Other
This is NOT an official Google product.