/BrokenType

TrueType and OpenType font fuzzing toolset

Primary LanguageC++Apache License 2.0Apache-2.0

BrokenType

BrokenType is a set of tools designed to test the robustness and security of font rasterization software, especially codebases prone to memory corruption issues (written in C/C++ and similar languages). It consists of the following components:

The description and usage instructions of the utilities can be found in their corresponding READMEs.

The programs and scripts were successfully used in 2015-2019 to discover and report 20 vulnerabilities in the font rasterization code present in the Windows kernel (win32k.sys and atmfd.dll drivers), 19 security flaws in the user-mode Microsoft Uniscribe library, as well as 9 bugs in the FontSub.dll library and several issues in DirectWrite. The fuzzing efforts were discussed in the following Google Project Zero blog posts:

and the "Reverse engineering and exploiting font rasterizers" talk given in September 2015 at the 44CON conference in London. The two most notable issues found by the tool were CVE-2015-2426 and CVE-2015-2455 - an OTF bug collision with an exploit found in the Hacking Team leak, and a TTF bug collision with KeenTeam's exploit for pwn2own 2015.

Disclaimer

This is not an official Google product.