A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.
The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.
- Python 3.6+: Install Python
- Cmake: Install CMake
- LLVM 7.0.1., built from sources:
$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...- HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_toolsBuild a sample vulnerable program:
$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sfTry running it:
$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519 means that SpecFuzz detected that the instruction
at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered
by a misprediction of a branch at the address 0x789.
Build a fuzzing driver:
$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzzFuzzing:
$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json # raw results of fuzzing
{
"errors": [],
"statistics": {
"coverage": [
75.0,
6
],
"branches": 6,
"faults": 1
},
"branches": {
"5443896": {
"address": "0x531138",
"faults": [
"0x530a48"Process the results:
$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.jsonThe final, aggregated results are in aggregated.json.
Tests depend on bats (Install bats).
$ cd tests
$ ./run.shPaper:
@InProceedings{Oleksenko:2020,
author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
booktitle={29th $\{$USENIX$\}$ Security Symposium ($\{$USENIX$\}$ Security)},
year={2020}
}
Technical Report:
@Article{Oleksenko:2019,
author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
journal = "",
archivePrefix = "arXiv",
eprint = {1905.10311},
primaryClass = "",
year = {2019},
}