Skip to content

tudinfse/SpecFuzz

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits

example

example

 
 

install

install

 
 

postprocessing

postprocessing

 
 

src

src

 
 

tests

tests

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.

Have trouble using the tool? Open an issue!

The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.

Getting started

Dependencies

$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
  • HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...

Build it

$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools

Try it

Build a sample vulnerable program:

$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf

Try running it:

$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0

Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519 means that SpecFuzz detected that the instruction at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered by a misprediction of a branch at the address 0x789.

Fuzz it

Build a fuzzing driver:

$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz

Fuzzing:

$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json   # raw results of fuzzing
{
  "errors": [],
  "statistics": {
    "coverage": [
      75.0,
      6
    ],
    "branches": 6,
    "faults": 1
  },
  "branches": {
    "5443896": {
      "address": "0x531138",
      "faults": [
        "0x530a48"

Process the results:

$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json

The final, aggregated results are in aggregated.json.

Development

Testing

Tests depend on bats (Install bats).

$ cd tests
$ ./run.sh

About

A tool to enable fuzzing for Spectre vulnerabilities

Resources

Readme

License

View license
Activity
Custom properties

Stars

30 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 56.0%
  • C 23.3%
  • Assembly 8.1%
  • Python 6.4%
  • Shell 3.6%
  • Makefile 1.1%
  • Other 1.5%