honggfuzz-rs

Fuzz your Rust code with Google-developped Honggfuzz !

Documentation

About Honggfuzz

Honggfuzz is a security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based).

• project homepage honggfuzz.com
• project repository github.com/google/honggfuzz
• this upstream project is maintained by Google, but ...
• this is NOT an official Google product

Compatibility

• Rust: stable, beta, nightly
• OS: GNU/Linux, macOS, FreeBSD, Android, WSL (Windows Subsystem for Linux)
• Arch: x86_64, x86, arm64-v8a, armeabi-v7a, armeabi
• Sanitizer: none, address, thread, leak

How to use this crate

Install honggfuzz commands to build with instrumentation and fuzz

```sh

installs hfuzz and honggfuzz subcommands in cargo

cargo install honggfuzz ```

Add to your dependencies

toml [dependencies] honggfuzz = "0.5"

Create a target to fuzz

```rust

[macro_use] extern crate honggfuzz;

fn main() { // Here you can parse `std::env::args and // setup / initialize your project

// You have full control over the loop but
// you're supposed to call `fuzz` ad vitam aeternam
loop {
    // The fuzz macro gives an arbitrary object (see `arbitrary crate`)
    // to a closure-like block of code.
    // For performance reasons, it is recommended that you use the native type
    // `&[u8]` when possible.
    // Here, this slice will contain a "random" quantity of "random" data.
    fuzz!(|data: &[u8]| {
        if data.len() != 6 {return}
        if data[0] != b'q' {return}
        if data[1] != b'w' {return}
        if data[2] != b'e' {return}
        if data[3] != b'r' {return}
        if data[4] != b't' {return}
        if data[5] != b'y' {return}
        panic!("BOOM")
    });
}

}

```

Fuzz for fun and profit !

```sh

builds with fuzzing instrumentation and then runs the "example" target

cargo hfuzz run example ```

Once you got a crash, replay it easily in a debug environment

```sh

builds the target in debug mode and replays automatically the crash in rust-lldb

cargo hfuzz run-debug example fuzzing_workspace/*.fuzz ```

Clean

```sh

a wrapper on "cargo clean" which cleans the fuzzing_target directory

cargo hfuzz clean ```

Environment variables

RUSTFLAGS

You can use RUSTFLAGS to send additional arguments to rustc.

For instance, you can enable the use of LLVM's sanitizers. This is a recommended option if you want to test your unsafe rust code but it will have an impact on performance.

sh RUSTFLAGS="-Z sanitizer=address" cargo hfuzz run example

HFUZZ_BUILD_ARGS

You can use HFUZZ_BUILD_ARGS to send additional arguments to cargo build.

HFUZZ_RUN_ARGS

You can use HFUZZ_RUN_ARGS to send additional arguments to honggfuzz. See USAGE for the list of those.

For example:

```sh

1 second of timeout

use 12 fuzzing thread

be verbose

stop after 1000000 fuzzing iteration

exit upon crash

HFUZZRUNARGS="-t 1 -n 12 -v -N 1000000 --exituponcrash" cargo hfuzz run example ```

HFUZZ_DEBUGGER

By default we use rust-lldb but you can change it to rust-gdb, gdb, /usr/bin/lldb-7 ...

Relevant documentation about honggfuzz

• USAGE
• FeedbackDrivenFuzzing
• PersistentFuzzing

About Rust fuzzing

There is other projects providing Rust fuzzing support at github.com/rust-fuzz.

You'll find support for AFL and LLVM's LibFuzzer and there is also a trophy case ;-) .

This crate was inspired by those projects!