Skip to content

tudinfse/SpecFuzz

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
example
example
 
 
install
install
 
 
postprocessing
postprocessing
 
 
src
src
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.

Have trouble using the tool? Open an issue!

The tool is relatively new and you might have trouble when installing or using it. If so, do not hesitate to open an issue.

Getting started

Dependencies

$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
  • HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...

Build it

$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools

Try it

Build a sample vulnerable program:

$ cd example
$ make sf
clang-sf -fsanitize=address -O1 main.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf

Try running it:

$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0

Here, the line [SF], 1, 0x123, 0x456, 0, 0x52b519 means that SpecFuzz detected that the instruction at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered by a misprediction of a branch at the address 0x789.

Fuzz it

Build a fuzzing driver:

$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz

Fuzzing:

$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json   # raw results of fuzzing
{
  "errors": [],
  "statistics": {
    "coverage": [
      75.0,
      6
    ],
    "branches": 6,
    "faults": 1
  },
  "branches": {
    "5443896": {
      "address": "0x531138",
      "faults": [
        "0x530a48"

Process the results:

$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json

The final, aggregated results are in aggregated.json.

Development

Testing

Tests depend on bats (Install bats).

$ cd tests
$ ./run.sh

About

A tool to enable fuzzing for Spectre vulnerabilities

Resources

Readme

License

View license
Activity
Custom properties

Stars

31 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 56.0%
  • C 23.3%
  • Assembly 8.1%
  • Python 6.4%
  • Shell 3.6%
  • Makefile 1.1%
  • Other 1.5%