honggfuzz-rs

Fuzz your Rust code with Honggfuzz !

About Honggfuzz

• project homepage http://honggfuzz.com/
• project repository https://github.com/google/honggfuzz

Description (from upstream project)

• It's multi-process and multi-threaded: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with one process. The file corpus is automatically shared and improved between the fuzzing threads.
• It's blazingly fast when in the persistent fuzzing mode). A simple/empty LLVMFuzzerTestOneInput function can be tested with up to 1mo iterations per second on a relatively modern CPU (e.g. i7-6700K)
• Has a solid track record of uncovered security bugs: the only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz. See the Trophies paragraph for the summary of findings to the date
• Uses low-level interfaces to monitor processes (e.g. ptrace under Linux). As opposed to other fuzzers, it will discover and report hijacked/ignored signals (intercepted and potentially hidden by signal handlers)
• Easy-to-use, feed it a simple corpus directory (can even be empty) and it will work its way up expanding it utilizing feedback-based coverage metrics
• Supports several (more than any other coverage-based feedback-driven fuzzer) hardware-based (CPU: branch/instruction counting, Intel BTS, Intel PT) and software-based feedback-driven fuzzing methods known from other fuzzers (libfuzzer, afl)
• Works (at least) under GNU/Linux, FreeBSD, Mac OS X, Windows/CygWin and Android
• Supports the persistent fuzzing mode (long-lived process calling a fuzzed API repeatedly) with libhfuzz/libhfuzz.a. More on that can be found here
• Can fuzz remote/standalone long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind), though the persistent fuzzing mode is suggested instead: as it's faster and multiple instances of a service can be fuzzed with this
• It comes with the examples directory, consisting of real world fuzz setups for widely-used software (e.g. Apache and OpenSSL)

How to use this crate

Install honggfuzz command to build with instrumentation and fuzz

cargo install honggfuzz # will install honggfuzz and honggfuzz-build subcommands in cargo

Add to your dependencies

[dependencies]
honggfuzz = "0.2"

Add code snippet to fuzz

#![no_main]
#[macro_use] extern crate honggfuzz;

fuzz_target!(|data: &[u8]| {
    if data.len() != 10 {return}
    if data[0] != 'q' as u8 {return}
    if data[1] != 'w' as u8 {return}
    if data[2] != 'e' as u8 {return}
    if data[3] != 'r' as u8 {return}
    if data[4] != 't' as u8 {return}
    if data[5] != 'y' as u8 {return}
    if data[6] != 'u' as u8 {return}
    if data[7] != 'i' as u8 {return}
    if data[8] != 'o' as u8 {return}
    if data[9] != 'p' as u8 {return}
    panic!("BOOM")
});

Build with instrumentation

cargo honggfuzz-build # a wrapper on "cargo build" with fuzzing instrumentation enabled. produces binaries in "fuzzing_target" directory

Fuzz

mkdir in
cargo honggfuzz -f in -P -- fuzzing_target/x86_64-unknown-linux-gnu/debug/fuzzme # a wrapper on honggfuzz executable with settings adapted to work with Rust code