Honggfuzz

A security-oriented, feedback-driven, evolutionary fuzzer.

Honggfuzz is a general-purpose fuzzer that uses code coverage (software and hardware-based) to find bugs. It is multi-process, multi-threaded, and supports persistent fuzzing for extreme speed.

Key Features

• Fast: Multi-process and multi-threaded engine. unlocking full CPU potential.
• Persistent Fuzzing: Test APIs directly in-process with iteration speeds up to 1M/sec.
• Feedback-Driven: Uses hardware (Intel BTS/PT) and software code coverage to evolve inputs.
• Easy: Can start with an empty corpus and automatically build a valid input set.
• Deep Monitoring: Uses low-level APIs (ptrace) to detect hijacked signals and hidden crashes.
• Broad Support: Linux, macOS, Android, NetBSD, FreeBSD, and Windows (Cygwin).

Installation

Dependencies

Linux (Ubuntu/Debian)

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang

macOS Requires Xcode (10.8+) and libblocksruntime.

Build

make
# Compilation wrappers are created in hfuzz_cc/

Usage

1. Compile Target

Use the provided compiler wrappers to automatically add instrumentation:

# C code
./hfuzz_cc/hfuzz-clang -o my_target my_target.c

# C++ code
./hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp

2. Run Fuzzer

Point it to an input corpus directory (can be empty) and your binary:

# Basic run
./honggfuzz -i input_dir/ -- ./my_target ___FILE___

# Persistent mode (faster)
./honggfuzz -P -i input_dir/ -- ./my_target

Note: ___FILE___ is a placeholder for the input filename generated by honggfuzz.

For advanced examples (Apache, OpenSSL, BIND, etc.), check the examples/ directory.

See USAGE.md for detailed options.

Trophies

Honggfuzz has discovered major security vulnerabilities in critical software.

HTTP & Servers

• Apache HTTPD:
  • CVE-2017-7659 (mod_http2 remote crash)
  • CVE-2017-9789 (Use-after-free)
  • CVE-2018-1301, CVE-2018-1302, CVE-2018-1303
• OpenSSH: Pre-auth remote crash (commit 28652bca)
• BIND: Multiple bugs
• NGINX Unit: Infinite loop
• ProFTPD: CVE-2019-18217 (DoS)
• Samba: CVE-2019-14907, CVE-2020-10745, CVE-2021-20277

Cryptography & SSL

• OpenSSL:
  • CVE-2016-6309 (Critical, Potential RCE)
  • CVE-2015-1789, CVE-2016-7054, CVE-2017-3731
• LibreSSL: Multiple crashes and invalid frees
• BoringSSL: Uninitialized memory use
• Crypto++: CVE-2016-9939 (Remote DoS)

Languages & Interpreters

• PHP: WDDX bugs, generic interpreter crashes
• Python/Ruby: Interpreter bugs
• Rust: Panics/safety issues in regex, h2, sleep-parser, lewton
• Perl: Multiple interpreter crashes

Media & Formats

• FreeType 2: CVE-2010-2497 through CVE-2010-2527 (7+ CVEs)
• LibTIFF: Multiple bugs
• LibJPEG/Turbo: Multiple bugs
• VLC: Double-free RCE
• Adobe Flash: CVE-2015-0316
• ImageIO (iOS/macOS): Multiple security problems (Project Zero)
• LibreOffice: Memory corruption

System & Utils

• Systemd: Tested by honggfuzz
• fwupd: 17+ bugs found
• TCPDump: Multiple bugs
• Rsyslog: Multiple bugs

(See OSS-Fuzz for hundreds more)

Projects Using Honggfuzz

• Google OSS-Fuzz: Continuous fuzzing for open source software.
• Android: Used by Android Security team.
• Rust: honggfuzz-rs crate for fuzzing Rust code.
• Bitcoin Core: Fuzzing infrastructure.
• Apache HTTP Server: CI fuzzing.
• Systemd: CI fuzzing.
• Cifasis QuickFuzz
• Mozilla FuzzOS

License

Apache License 2.0.

This is NOT an official Google product