6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
85.5%
Honggfuzz is a general-purpose fuzzing tool. Given a starting corpus of test files, Hongfuzz supplies and modifies input to a test program and utilize the ptrace() API / POSIX signal interface to detect and log crashes.
This is NOT an official Google product.
It should work under the following operating systems:
OS | Status | Notes |
---|---|---|
GNU/Linux | Works | ptrace() API (x86, x86-64 disassembly support) |
FreeBSD | Works | POSIX signal interface |
Mac OS X | Works | POSIX signal interface/Mac OS X crash reports (x86-64/x86 disassembly support) |
MS Windows | Doesn’t work | The POSIX signal implementation provided by the Cygwin project is not sufficient |
Other Unices | Depends * |
POSIX signal interface |
_ *
) It might work provided that a given operating system implements wait3() call _
$ ./honggfuzz
honggfuzz version 0.3 Robert Swiecki <[email protected]>, Copyright 2010 by Google Inc. All Rights Reserved.
<-f val>: input file (or input dir)
[-h]: this help
[-q]: null-ify children's stdin, stdout, stderr; make them quiet
[-s]: standard input fuzz, instead of providing a file argument
[-u]: save unique test-cases only, otherwise (if not used) append
current timestamp to the output filenames
[-d val]: debug level (0 - FATAL ... 4 - DEBUG), default: '3' (INFO)
[-e val]: file extension (e.g swf), default: 'fuzz'
[-r val]: flip rate, default: '0.001'
[-m val]: flip mode (-mB - byte, -mb - bit), default: '-mB'
[-c val]: command modifying input files externally (instead of -r/-m)
[-t val]: timeout (in secs), default: '3' (0 - no timeout)
[-a val]: address limit (from si.si_addr) below which crashes
are not reported, default: '0' (suggested: 65535)
[-n val]: number of concurrent fuzzing processes, default: '5'
[-l val]: per process memory limit in MiB, default: '0' (no limit)
[-p val]: attach to a pid (a group thread), instead of monitoring
previously created process, default: '0' (none) (ptrace only)
usage: honggfuzz -f input_dir -- /usr/bin/tiffinfo -D ___FILE___
Honggfuzz offers simple file mutation algorithm only (bits/bytes). This document explains how to use an external command to create fuzzing input.
Mode | Output file |
---|---|
Unique mode ( -u ) | SIGSEGV.PC.0x7ffff78c8f70.CODE.1.ADDR.0x6c9000.INSTR.mov _ [ rdi+0x10 ] , _ r9 .ttf |
Non-unique mode | SIGSEGV.PC.0x8056ad7.CODE.1.ADDR.0x30333037.INSTR.movsx_eax, _ [ eax ] .TIME.2010-06-07.02.25.04.PID.10097.ttf |
POSIX signal interface | SIGSEGV.22758.2010-07-01.17.24.41.tif |
_
t.si _
code _ field (see _ man 2 signaction _ for more details), valid for some signals (e.g. SIGSEGV) only_
t.si _
addr _ (see _ man 2 signaction _ for more details) (most likely meaningless for SIGABRT)_
[
eax ]
– Disassembled instruction which was found under the last known PC (Program Counter) (x86, x86-64 architectures only, meaningless for SIGABRT)github.com/google/honggfuzz
github.com/google/honggfuzz/blob/master/docs/AttachingToPid.md
github.com/google/honggfuzz/blob/master/docs/capstone.md
github.com/google/honggfuzz/blob/master/docs/ExternalFuzzerUsage.md
github.com/google/honggfuzz/blob/master/docs/FeedbackDrivenFuzzing.md
github.com/google/honggfuzz/blob/master/docs/USAGE.md#description