A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.
The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.
- Python 3.6+: Install Python
- Cmake: Install CMake
- LLVM 7.0.1., built from sources:
$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
- HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...
$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools
Build a sample vulnerable program:
$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf
Try running it:
$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0
Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519
means that SpecFuzz detected that the instruction
at address 0x123
tried to access an invalid address 0x456
, and the speculation was triggered
by a misprediction of a branch at the address 0x789
.
Build a fuzzing driver:
$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz
Fuzzing:
$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json # raw results of fuzzing
{
"errors": [],
"statistics": {
"coverage": [
75.0,
6
],
"branches": 6,
"faults": 1
},
"branches": {
"5443896": {
"address": "0x531138",
"faults": [
"0x530a48"
Process the results:
$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json
The final, aggregated results are in aggregated.json
.
Tests depend on bats (Install bats).
$ cd tests
$ ./run.sh