Awesome
SpecFuzz
A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.
SpecFuzz is no longer maintained.
Getting started
Dependencies
- Python 3.6+: Install Python
- Cmake: Install CMake
- LLVM 7.0.1., built from sources:
$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...
If you have trouble compiling LLVM 7.0.1 with the newest glibc, try applying this patch: https://github.com/llvm/llvm-project/commit/947f9692440836dcb8d88b74b69dd379d85974ce
- HonggFuzz, built from sources:
$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...
Build it
$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools
Try it
Build a sample vulnerable program:
$ cd example
$ make sf
clang-sf -fsanitize=address -O1 demo.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf
Try running it:
$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0
Here, the line [SF], 1, 0x123, 0x456, 0, 0x789
means that SpecFuzz detected that the instruction
at address 0x123
tried to access an invalid address 0x456
, and the speculation was triggered
by a misprediction of a branch at the address 0x789
.
Fuzz it
Build a fuzzing driver:
$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz
Fuzzing:
$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json # raw results of fuzzing
{
"errors": [],
"statistics": {
"coverage": [
75.0,
6
],
"branches": 6,
"faults": 1
},
"branches": {
"5443896": {
"address": "0x531138",
"faults": [
"0x530a48"
Important: fuzz only on a single thread (-n 1
). In the current implementation, the detected errors are reported into stderr
and the analyzer cannot correctly separate results from different threads.
Process the results:
$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json
The final, aggregated results are in aggregated.json
.
Development
Testing
Tests depend on bats (Install bats).
$ cd tests
$ ./run.sh
Cite us!
Paper:
@InProceedings{Oleksenko:2020,
author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
booktitle={29th USENIX Security Symposium (USENIX Security)},
year={2020}
}
Technical Report:
@Article{Oleksenko:2019,
author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
journal = "",
archivePrefix = "arXiv",
eprint = {1905.10311},
primaryClass = "",
year = {2019},
}