1 # INTRODUCTION # 2 3 This document describes the **honggfuzz** project. 4 5 # OBJECTIVE # 6 7 Honggfuzz is a security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. 8 9 # FEATURES # 10 11 * It's __multi-threaded__ and __multi-process__: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores. The file corpus is shared between threads (and 12 fuzzed instances) 13 * It's blazingly fast (specifically in the [persistent fuzzing mode](https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md)). A simple _LLVMFuzzerTestOneInput_ function can be tested with __up to 1 14 mo iterations per second__ on a relatively modern CPU (e.g. i7-6600K) 15 * Has a nice track record of uncovered security bugs: e.g. the __only__ (to the date) __vulnerability in OpenSSL with the [critical](https://www.openssl.org/news/secadv/20160926.txt) score mark__ was discovered by honggfuzz 16 * Uses low-level interfaces to monitor processes (e.g. _ptrace_ under Linux). As opposed to other fuzzers, it __will discover and report hidden signals__ (caught and potentially hidden by signal handlers) 17 * Easy-to-use, feed it a simple input corpus (__can even consist of a single, 1-byte file__) and it will work its way up expanding it utilizing feedback-based coverage metrics 18 * Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, __Intel BTS__, __Intel PT__) and software-based [feedback-driven fuzzing](https://github.com/google/honggfuzz/blob/master/docs/FeedbackDrivenFuzzing.md) methods known from other fuzzers (libfuzzer, afl) 19 * Works (at least) under GNU/Linux, FreeBSD, Mac OS X, Windows/CygWin and [Android](https://github.com/google/honggfuzz/blob/master/docs/Android.md) 20 * Supports __persistent fuzzing mode__ (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found [here](https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md) 21 * [Can fuzz remote/standalone long-lasting processes](https://github.com/google/honggfuzz/blob/master/docs/AttachingToPid.md) (e.g. network servers like __Apache's httpd__ and __ISC's bind__) 22 * It comes with the __[examples](https://github.com/google/honggfuzz/tree/master/examples) directory__, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL) 23 24 # REQUIREMENTS # 25 26 * A POSIX compliant operating system, [Android](https://github.com/google/honggfuzz/blob/master/docs/Android.md) or Windows (CygWin) 27 * GNU/Linux with modern kernel (>= v4.2) for hardware-based code coverage guided fuzzing 28 * A corpus of input files. Honggfuzz expects a set of files to use and modify as input to the application you're fuzzing. How you get or create these files is up to you, but you might be interested in the following sources: 29 * Image formats: Tavis Ormandy's [Image Testuite](http://code.google.com/p/imagetestsuite/) has been effective at finding vulnerabilities in various graphics libraries. 30 * PDF: Adobe provides some [test PDF files](http://acroeng.adobe.com/). 31 32 _**Note**: With the feedback-driven coverage-based modes, you can start your fuzzing with even a single 1-byte file._ 33 34 ## Compatibility list ## 35 36 It should work under the following operating systems: 37 38 | **OS** | **Status** | **Notes** | 39 |:-------|:-----------|:----------| 40 | **GNU/Linux** | Works | ptrace() API (x86, x86-64 disassembly support)| 41 | **FreeBSD** | Works | POSIX signal interface | 42 | **Mac OS X** | Works | POSIX signal interface/Mac OS X crash reports (x86-64/x86 disassembly support) | 43 | **Android** | Works | ptrace() API (x86, x86-64 disassembly support) | 44 | **MS Windows** | Works | POSIX signal interface via CygWin | 45 | **Other Unices** | Depends`*` | POSIX signal interface | 46 47 _`*`) It might work provided that a given operating system implements **wait4()** call_ 48 49 # USAGE # 50 51 ```shell 52 Usage: ./honggfuzz [options] -- path_to_command [args] 53 Options: 54 --help|-h 55 Help plz.. 56 --input|-f VALUE 57 Path to a directory containing initial file corpus 58 --persistent|-P 59 Enable persistent fuzzing (use hfuzz_cc/hfuzz-clang to compile code) 60 --instrument|-z 61 *DEFAULT-MODE-BY-DEFAULT* Enable compile-time instrumentation (use hfuzz_cc/hfuzz-clang to compile code) 62 --noinst|-x 63 Static mode (dry-mode), disable any instrumentation (hw/sw) 64 --sancov|-C 65 Enable sanitizer coverage feedback 66 --keep_output|-Q 67 Don't close children's stdin, stdout, stderr; can be noisy 68 --timeout|-t VALUE 69 Timeout in seconds (default: '10') 70 --threads|-n VALUE 71 Number of concurrent fuzzing threads (default: number of CPUs / 2) 72 --stdin_input|-s 73 Provide fuzzing input on STDIN, instead of ___FILE___ 74 --mutations_per_run|-r VALUE 75 Maximal number of mutations per one run (default: '6') 76 --logfile|-l VALUE 77 Log file 78 --verbose|-v 79 Disable ANSI console; use simple log output 80 --verifier|-V 81 Enable crashes verifier 82 --debug_level|-d VALUE 83 Debug level (0 - FATAL ... 4 - DEBUG), (default: '3' [INFO]) 84 --extension|-e VALUE 85 Input file extension (e.g. 'swf'), (default: 'fuzz') 86 --workspace|-W VALUE 87 Workspace directory to save crashes & runtime files (default: '.') 88 --covdir VALUE 89 New coverage is written to a separate directory (default: use the input directory) 90 --dict|-w VALUE 91 Dictionary file. Format:http://llvm.org/docs/LibFuzzer.html#dictionaries 92 --stackhash_bl|-B VALUE 93 Stackhashes blacklist file (one entry per line) 94 --mutate_cmd|-c VALUE 95 External command producing fuzz files (instead of internal mutators) 96 --pprocess_cmd VALUE 97 External command postprocessing files produced by internal mutators 98 --run_time VALUE 99 Number of seconds this fuzzing session will last (default: '0' [no limit]) 100 --iterations|-N VALUE 101 Number of fuzzing iterations (default: '0' [no limit]) 102 --rlimit_as VALUE 103 Per process RLIMIT_AS in MiB (default: '0' [no limit]) 104 --rlimit_rss VALUE 105 Per process RLIMIT_RSS in MiB (default: '0' [no limit]) 106 --rlimit_data VALUE 107 Per process RLIMIT_DATA in MiB (default: '0' [no limit]) 108 --report|-R VALUE 109 Write report to this file (default: 'HONGGFUZZ.REPORT.TXT') 110 --max_file_size|-F VALUE 111 Maximal size of files processed by the fuzzer in bytes (default: '1048576') 112 --clear_env 113 Clear all environment variables before executing the binary 114 --env|-E VALUE 115 Pass this environment variable, can be used multiple times 116 --save_all|-u 117 Save all test-cases (not only the unique ones) by appending the current time-stamp to the filenames 118 --tmout_sigvtalrm|-T 119 Use SIGVTALRM to kill timeouting processes (default: use SIGKILL) 120 --sanitizers|-S 121 Enable sanitizers settings (default: false) 122 --monitor_sigabrt VALUE 123 Monitor SIGABRT (default: 'false for Android - 'true for other platforms) 124 --no_fb_timeout VALUE 125 Skip feedback if the process has timeouted (default: 'false') 126 --exit_upon_crash 127 Exit upon seeing the first crash (default: 'false') 128 --linux_symbols_bl VALUE 129 Symbols blacklist filter file (one entry per line) 130 --linux_symbols_wl VALUE 131 Symbols whitelist filter file (one entry per line) 132 --linux_pid|-p VALUE 133 Attach to a pid (and its thread group) 134 --linux_file_pid VALUE 135 Attach to pid (and its thread group) read from file 136 --linux_addr_low_limit VALUE 137 Address limit (from si.si_addr) below which crashes are not reported, (default: '0') 138 --linux_keep_aslr 139 Don't disable ASLR randomization, might be useful with MSAN 140 --linux_perf_ignore_above VALUE 141 Ignore perf events which report IPs above this address 142 --linux_perf_instr 143 Use PERF_COUNT_HW_INSTRUCTIONS perf 144 --linux_perf_branch 145 Use PERF_COUNT_HW_BRANCH_INSTRUCTIONS perf 146 --linux_perf_bts_edge 147 Use Intel BTS to count unique edges 148 --linux_perf_ipt_block 149 Use Intel Processor Trace to count unique blocks (requires libipt.so) 150 --linux_perf_kernel_only 151 Gather kernel-only coverage with Intel PT and with Intel BTS 152 --linux_ns_net 153 Use Linux NET namespace isolation 154 --linux_ns_pid 155 Use Linux PID namespace isolation 156 --linux_ns_ipc 157 Use Linux IPC namespace isolation 158 159 Examples: 160 Run the binary over a mutated file chosen from the directory. Disable fuzzing feedback (dry/static mode) 161 honggfuzz -f input_dir -x -- /usr/bin/djpeg ___FILE___ 162 As above, provide input over STDIN: 163 honggfuzz -f input_dir -x -s -- /usr/bin/djpeg 164 Use compile-time instrumentation (libhfuzz/instrument.c): 165 honggfuzz -f input_dir -- /usr/bin/djpeg ___FILE___ 166 Use SANCOV instrumentation: 167 honggfuzz -f input_dir -C -- /usr/bin/djpeg ___FILE___ 168 Use persistent mode (libhfuzz/persistent.c) w/o instrumentation: 169 honggfuzz -f input_dir -P -x -- /usr/bin/djpeg_persistent_mode 170 Use persistent mode (libhfuzz/persistent.c) and compile-time instrumentation: 171 honggfuzz -f input_dir -P -- /usr/bin/djpeg_persistent_mode 172 Run the binary with dynamically generate inputs, maximize total no. of instructions: 173 honggfuzz --linux_perf_instr -- /usr/bin/djpeg ___FILE___ 174 As above, maximize total no. of branches: 175 honggfuzz --linux_perf_branch -- /usr/bin/djpeg ___FILE___ 176 As above, maximize unique branches (edges) via Intel BTS: 177 honggfuzz --linux_perf_bts_edge -- /usr/bin/djpeg ___FILE___ 178 As above, maximize unique code blocks via Intel Processor Trace (requires libipt.so): 179 honggfuzz --linux_perf_ipt_block -- /usr/bin/djpeg ___FILE___ 180 ``` 181 182 # OUTPUT FILES # 183 184 | **Mode** | **Output file** | 185 |:---------|:----------------| 186 | Linux | **SIGSEGV.PC.4ba1ae.STACK.13599d485.CODE.1.ADDR.0x10.INSTR.mov____0x10(%rbx),%rax.fuzz** | 187 | POSIX signal interface | **SIGSEGV.22758.2010-07-01.17.24.41.tif** | 188 189 ## Description ## 190 191 * **SIGSEGV**,**SIGILL**,**SIGBUS**,**SIGABRT**,**SIGFPE** - Description of the signal which terminated the process (when using ptrace() API, it's a signal which was delivered to the process, even if silently discarded) 192 * **PC.0x8056ad7** - Program Counter (PC) value (ptrace() API only), for x86 it's a value of the EIP register (RIP for x86-64) 193 * **STACK.13599d485** - Stack signature (based on stack-tracing) 194 * **ADDR.0x30333037** - Value of the _siginfo`_`t.si`_`addr_ (see _man 2 signaction_ for more details) (most likely meaningless for SIGABRT) 195 * **INSTR.mov____0x10(%rbx),%rax`** - Disassembled instruction which was found under the last known PC (Program Counter) (x86, x86-64 architectures only, meaningless for SIGABRT) 196 197 # FAQ # 198 199 * Q: **Why the name _honggfuzz_**? 200 * A: The term honggfuzz was coined during a major and memorable event in the city of [Zurich](http://en.wikipedia.org/wiki/H%C3%B6ngg), where a Welsh security celebrity tried to reach Hngg in a cab while singing _[Another one bites the dust](https://en.wikipedia.org/wiki/Another_One_Bites_the_Dust)_. 201 202 * Q: **Why do you prefer the ptrace() API to the POSIX signal interface**? 203 * A: The ptrace() API is more flexible when it comes to analyzing a process' crash. wait3/4() syscalls are only able to determine the type of signal which crashed an application and limited resource usage information (see _man wait4_). 204 205 * Q: **Why isn't there any support for the ptrace() API when compiling under FreeBSD or Mac OS X operating systems**? 206 * A: These operating systems lack some specific ptrace() operations, including **PT`_`GETREGS** (Mac OS X) and **PT`_`GETSIGINFO**, both of which honggfuzz depends on. If you have any ideas on how to get around this limitation, send us an email or patch. 207 208 # LICENSE # 209 210 This project is licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 211 212 # CREDITS # 213 214 * Thanks to **[taviso (a] google.com Tavis Ormandy]** for many valuable ideas used in the course of this project's design and implementation phases 215 * Thanks to my 1337 friends for all sorts of support and distraction :) - **LiquidK, lcamtuf, novocainated, asiraP, ScaryBeasts, redpig, jln** 216
