General Purpose Fuzzing: Honggfuzz

2015-06-05T15:50:13
ID N0WHERE:31614
Type n0where
Reporter N0where
Modified 2015-06-05T15:50:13

Description

Honggfuzz is a general-purpose fuzzing tool. Given a starting corpus of test files, Hongfuzz supplies and modifies input to a test program and utilize the ptrace() API / POSIX signal interface to detect and log crashes.

General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz

Features

  • Easy setup : No complicated configuration files or setup necessary — Hongfuzz can be run directly from the command line.
  • Fast : Multiple Hongfuzz instances can be run simultaneously for more efficient fuzzing.
  • Powerful analysis capabilities : Hongfuzz will use the most powerful process state analysis (e.g. ptrace) interface under a given OS.

Requirements

  • A POSIX compilant operating system
  • (under Linux) – BFD library (libbfd-dev) and LibUnwind (libunwind-dev/libunwind8-dev)
  • (under FreeBSD) – gmake
  • The capstone library (wth x86/amd64 Linux boxes)
  • A corpus of input files. Honggfuzz expects a set of files to use and modify as input to the application you’re fuzzing. How you get or create these files is up to you, but you might be interested in the following sources:
    • Image formats: Tavis Ormandy’s Image Testuite has been effective at finding vulnerabilities in various graphics libraries.
    • PDF: Adobe provides some test PDF files .

Description

This is NOT an official Google product.

Compatibility list

It should work under the following operating systems:

OS | Status | Notes
---|---|---
GNU/Linux | Works | ptrace() API (x86, x86-64 disassembly support)
FreeBSD | Works | POSIX signal interface
Mac OS X | Works | POSIX signal interface/Mac OS X crash reports (x86-64/x86 disassembly support)
MS Windows | Doesn’t work | The POSIX signal implementation provided by the Cygwin project is not sufficient
Other Unices | Depends * | POSIX signal interface

_ * ) It might work provided that a given operating system implements wait3() call _

Usage

$ ./honggfuzz 
honggfuzz version 0.3 Robert Swiecki <swiecki@google.com>, Copyright 2010 by Google Inc. All Rights Reserved.
 <-f val>: input file (or input dir)
 [-h]: this help
 [-q]: null-ify children's stdin, stdout, stderr; make them quiet
 [-s]: standard input fuzz, instead of providing a file argument
 [-u]: save unique test-cases only, otherwise (if not used) append
       current timestamp to the output filenames
 [-d val]: debug level (0 - FATAL ... 4 - DEBUG), default: '3' (INFO)
 [-e val]: file extension (e.g swf), default: 'fuzz'
 [-r val]: flip rate, default: '0.001'
 [-m val]: flip mode (-mB - byte, -mb - bit), default: '-mB'
 [-c val]: command modifying input files externally (instead of -r/-m)
 [-t val]: timeout (in secs), default: '3' (0 - no timeout)
 [-a val]: address limit (from si.si_addr) below which crashes
           are not reported, default: '0' (suggested: 65535)
 [-n val]: number of concurrent fuzzing processes, default: '5'
 [-l val]: per process memory limit in MiB, default: '0' (no limit)
 [-p val]: attach to a pid (a group thread), instead of monitoring
           previously created process, default: '0' (none) (ptrace only)
usage: honggfuzz -f input_dir -- /usr/bin/tiffinfo -D ___FILE___

Honggfuzz offers simple file mutation algorithm only (bits/bytes). This document explains how to use an external command to create fuzzing input.

Output Files

Mode | Output file
---|---
Unique mode ( -u ) | SIGSEGV.PC.0x7ffff78c8f70.CODE.1.ADDR.0x6c9000.INSTR.mov _ [ rdi+0x10 ] , _ r9 .ttf
Non-unique mode | SIGSEGV.PC.0x8056ad7.CODE.1.ADDR.0x30333037.INSTR.movsx_eax, _ [ eax ] .TIME.2010-06-07.02.25.04.PID.10097.ttf
POSIX signal interface | SIGSEGV.22758.2010-07-01.17.24.41.tif

Description

  • SIGSEGV , SIGILL , SIGBUS , SIGABRT , SIGFPE – Description of the signal which terminated the process (when using ptrace() API, it’s a signal which was delivered to the process, even if silently discarded)
  • PC.0x8056ad7 – Program Counter (PC) value (ptrace() API only), for x86 it’s a value of the EIP register (RIP for x86-64)
  • CODE.1 – Value of the _ siginfo_ t.si _code _ field (see _ man 2 signaction _ for more details), valid for some signals (e.g. SIGSEGV) only
  • ADDR.0x30333037 – Value of the _ siginfo_ t.si _addr _ (see _ man 2 signaction _ for more details) (most likely meaningless for SIGABRT)
  • INSTR.movsx_eax, _ [ eax ] – Disassembled instruction which was found under the last known PC (Program Counter) (x86, x86-64 architectures only, meaningless for SIGABRT)
  • TIME.2010-06-07.02.25.04 – Local time when the signal was delivered
  • PID.10097 – Fuzzing process’ id (PID) (See AttachingToPid for more)

General Purpose Fuzzing: Honggfuzz download