Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)
Honggfuzz
A security-oriented, feedback-driven, evolutionary fuzzer.
Honggfuzz is a general-purpose fuzzer that uses code coverage (software and hardware-based) to find bugs. It is multi-process, multi-threaded, and supports persistent fuzzing for extreme speed.
Key Features
- Fast: Multi-process and multi-threaded engine. unlocking full CPU potential.
- Persistent Fuzzing: Test APIs directly in-process with iteration speeds up to 1M/sec.
- Feedback-Driven: Uses hardware (Intel BTS/PT) and software code coverage to evolve inputs.
- Easy: Can start with an empty corpus and automatically build a valid input set.
- Deep Monitoring: Uses low-level APIs (
ptrace) to detect hijacked signals and hidden crashes. - Broad Support: Linux, macOS, Android, NetBSD, FreeBSD, and Windows (Cygwin).
Installation
Dependencies
Linux (Ubuntu/Debian)
sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang
macOS Requires Xcode (10.8+) and libblocksruntime.
Build
make
Compilation wrappers are created in hfuzz_cc/
Usage
1. Compile Target
Use the provided compiler wrappers to automatically add instrumentation:# C code
./hfuzzcc/hfuzz-clang -o mytarget my_target.c
C++ code
./hfuzzcc/hfuzz-clang++ -o mytarget my_target.cpp
2. Run Fuzzer
Point it to an input corpus directory (can be empty) and your binary:# Basic run
./honggfuzz -i inputdir/ -- ./mytarget FILE
Persistent mode (faster)
./honggfuzz -P -i inputdir/ -- ./mytarget
Note: FILE is a placeholder for the input filename generated by honggfuzz.
For advanced examples (Apache, OpenSSL, BIND, etc.), check the examples/ directory.
See USAGE.md for detailed options.
Trophies
Honggfuzz has discovered major security vulnerabilities in critical software.
HTTP & Servers
- Apache HTTPD:
- OpenSSH: Pre-auth remote crash (commit 28652bca)
- BIND: Multiple bugs
- NGINX Unit: Infinite loop
- ProFTPD: CVE-2019-18217 (DoS)
- Samba: CVE-2019-14907, CVE-2020-10745, CVE-2021-20277
Cryptography & SSL
- OpenSSL:
- LibreSSL: Multiple crashes and invalid frees
- BoringSSL: Uninitialized memory use
- Crypto++: CVE-2016-9939 (Remote DoS)
Languages & Interpreters
- PHP: WDDX bugs, generic interpreter crashes
- Python/Ruby: Interpreter bugs
- Rust: Panics/safety issues in
regex,h2,sleep-parser,lewton - Perl: Multiple interpreter crashes
Media & Formats
- FreeType 2: CVE-2010-2497 through CVE-2010-2527 (7+ CVEs)
- LibTIFF: Multiple bugs
- LibJPEG/Turbo: Multiple bugs
- VLC: Double-free RCE
- Adobe Flash: CVE-2015-0316
- ImageIO (iOS/macOS): Multiple security problems (Project Zero)
- LibreOffice: Memory corruption
System & Utils
- Systemd: Tested by honggfuzz
- fwupd: 17+ bugs found
- TCPDump: Multiple bugs
- Rsyslog: Multiple bugs
Projects Using Honggfuzz
- Google OSS-Fuzz: Continuous fuzzing for open source software.
- Android: Used by Android Security team.
- Rust:
honggfuzz-rscrate for fuzzing Rust code. - Bitcoin Core: Fuzzing infrastructure.
- Apache HTTP Server: CI fuzzing.
- Systemd: CI fuzzing.
- Cifasis QuickFuzz
- Mozilla FuzzOS
License
Apache License 2.0.
This is NOT an official Google product