Lucene search

HistoryJun 05, 2015 - 3:50 p.m.

General Purpose Fuzzing: Honggfuzz


0.018 Low




Honggfuzz is a general-purpose fuzzing tool. Given a starting corpus of test files, Hongfuzz supplies and modifies input to a test program and utilize the ptrace() API / POSIX signal interface to detect and log crashes.

General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz General Purpose Fuzzing: Honggfuzz


  • Easy setup : No complicated configuration files or setup necessary — Hongfuzz can be run directly from the command line.
  • Fast : Multiple Hongfuzz instances can be run simultaneously for more efficient fuzzing.
  • Powerful analysis capabilities : Hongfuzz will use the most powerful process state analysis (e.g. ptrace) interface under a given OS.


  • A POSIX compilant operating system
  • (under Linux) – BFD library (libbfd-dev) and LibUnwind (libunwind-dev/libunwind8-dev)
  • (under FreeBSD) – gmake
  • The capstone library (wth x86/amd64 Linux boxes)
  • A corpus of input files. Honggfuzz expects a set of files to use and modify as input to the application you’re fuzzing. How you get or create these files is up to you, but you might be interested in the following sources:
    • Image formats: Tavis Ormandy’s Image Testuite has been effective at finding vulnerabilities in various graphics libraries.
    • PDF: Adobe provides some test PDF files .


This is NOT an official Google product.

Compatibility list

It should work under the following operating systems:

OS Status Notes
GNU/Linux Works ptrace() API (x86, x86-64 disassembly support)
FreeBSD Works POSIX signal interface
Mac OS X Works POSIX signal interface/Mac OS X crash reports (x86-64/x86 disassembly support)
MS Windows Doesn’t work The POSIX signal implementation provided by the Cygwin project is not sufficient
Other Unices Depends * POSIX signal interface

_ * ) It might work provided that a given operating system implements wait3() call _


$ ./honggfuzz 
honggfuzz version 0.3 Robert Swiecki <[email protected]>, Copyright 2010 by Google Inc. All Rights Reserved.
 <-f val>: input file (or input dir)
 [-h]: this help
 [-q]: null-ify children's stdin, stdout, stderr; make them quiet
 [-s]: standard input fuzz, instead of providing a file argument
 [-u]: save unique test-cases only, otherwise (if not used) append
       current timestamp to the output filenames
 [-d val]: debug level (0 - FATAL ... 4 - DEBUG), default: '3' (INFO)
 [-e val]: file extension (e.g swf), default: 'fuzz'
 [-r val]: flip rate, default: '0.001'
 [-m val]: flip mode (-mB - byte, -mb - bit), default: '-mB'
 [-c val]: command modifying input files externally (instead of -r/-m)
 [-t val]: timeout (in secs), default: '3' (0 - no timeout)
 [-a val]: address limit (from si.si_addr) below which crashes
           are not reported, default: '0' (suggested: 65535)
 [-n val]: number of concurrent fuzzing processes, default: '5'
 [-l val]: per process memory limit in MiB, default: '0' (no limit)
 [-p val]: attach to a pid (a group thread), instead of monitoring
           previously created process, default: '0' (none) (ptrace only)
usage: honggfuzz -f input_dir -- /usr/bin/tiffinfo -D ___FILE___

Honggfuzz offers simple file mutation algorithm only (bits/bytes). This document explains how to use an external command to create fuzzing input.

Output Files

Mode Output file
Unique mode ( -u ) _ [ rdi+0x10 ] , _ r9 .ttf
Non-unique mode SIGSEGV.PC.0x8056ad7.CODE.1.ADDR.0x30333037.INSTR.movsx_eax, _ [ eax ] .TIME.2010-06-
POSIX signal interface SIGSEGV.22758.2010-07-


  • SIGSEGV , SIGILL , SIGBUS , SIGABRT , SIGFPE – Description of the signal which terminated the process (when using ptrace() API, it’s a signal which was delivered to the process, even if silently discarded)
  • PC.0x8056ad7 – Program Counter (PC) value (ptrace() API only), for x86 it’s a value of the EIP register (RIP for x86-64)
  • CODE.1 – Value of the _ siginfo_ _code _ field (see _ man 2 signaction _ for more details), valid for some signals (e.g. SIGSEGV) only
  • ADDR.0x30333037 – Value of the _ siginfo_ _addr _ (see _ man 2 signaction _ for more details) (most likely meaningless for SIGABRT)
  • INSTR.movsx_eax, _ [ eax ] – Disassembled instruction which was found under the last known PC (Program Counter) (x86, x86-64 architectures only, meaningless for SIGABRT)
  • TIME.2010-06- – Local time when the signal was delivered
  • PID.10097 – Fuzzing process’ id (PID) (See AttachingToPid for more)

General Purpose Fuzzing: Honggfuzz download