/SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities

Primary LanguageC++OtherNOASSERTION

SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.

Have trouble using the tool? Open an issue!

The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.

Getting started

Dependencies

$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
  • HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...

Build it

$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools

Try it

Build a sample vulnerable program:

$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf

Try running it:

$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0

Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519 means that SpecFuzz detected that the instruction at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered by a misprediction of a branch at the address 0x789.

Fuzz it

Build a fuzzing driver:

$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz

Fuzzing:

$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json   # raw results of fuzzing
{
  "errors": [],
  "statistics": {
    "coverage": [
      75.0,
      6
    ],
    "branches": 6,
    "faults": 1
  },
  "branches": {
    "5443896": {
      "address": "0x531138",
      "faults": [
        "0x530a48"

Process the results:

$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json

The final, aggregated results are in aggregated.json.

Development

Testing

Tests depend on bats (Install bats).

$ cd tests
$ ./run.sh