SpecFuzz

A tool to enable fuzzing for Spectre vulnerabilities. See our Technical Report for details.

SpecFuzz is no longer maintained.

Getting started

Dependencies

Python 3.6+: Install Python
Cmake: Install CMake

LLVM 7.0.1., built from sources:

$ INSTALL_DIR=/llvm/installation/directory/ ./install/llvm.sh
$ /llvm/installation/directory/clang -v
clang version 7.0.1 (tags/RELEASE_701/final)
...

If you have trouble compiling LLVM 7.0.1 with the newest glibc, try applying this patch: https://github.com/llvm/llvm-project/commit/947f9692440836dcb8d88b74b69dd379d85974ce

HonggFuzz, built from sources:

$ apt-get install -y libbfd-dev libunwind8-dev binutils-dev libblocksruntime-dev
$ INSTALL_DIR=/honggfuzz/installation/directory/ ./install/honggfuzz.sh
$ honggfuzz
Usage: honggfuzz [options] -- path_to_command [args]
Options:
...

Build it

$ make
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make install
$ make install_tools

Try it

Build a sample vulnerable program:

$ cd example
$ make sf
clang-sf -fsanitize=address -O1 demo.c -c -o main.sf.o
clang-sf -fsanitize=address -O1 sizes.c -c -o sizes.sf.o
clang-sf -fsanitize=address -O1 main.sf.o sizes.sf.o -o demo-sf

Try running it:

$ ./demo-sf 11
[SF] Starting
[SF], 1, 0x123, 0x456, 0, 0x789
r = 0

Here, the line [SF], 1, 0x123, 0x456, 0, 0x789 means that SpecFuzz detected that the instruction at address 0x123 tried to access an invalid address 0x456, and the speculation was triggered by a misprediction of a branch at the address 0x789.

Fuzz it

Build a fuzzing driver:

$ cd example
$ export HONGG_SRC=/honggfuzz/installation/directory/src/
$ make fuzz

Fuzzing:

$ honggfuzz --run_time 10 -Q -n 1 -f ./ -l fuzzing.log -- ./fuzz ___FILE___ 2>&1 | analyzer collect -r fuzzing.log -o results.json -b ./fuzz
$ cat results.json   # raw results of fuzzing
{
"errors": [],
"statistics": {
"coverage": [
  75.0,
  6
],
"branches": 6,
"faults": 1
},
"branches": {
"5443896": {
  "address": "0x531138",
  "faults": [
    "0x530a48"

Important: fuzz only on a single thread (-n 1). In the current implementation, the detected errors are reported into stderr and the analyzer cannot correctly separate results from different threads.

Process the results:

$ analyzer aggregate results.json -s $(llvm-7.0.1-config --bindir)/llvm-symbolizer -b ./fuzz -o aggregated.json

The final, aggregated results are in aggregated.json.

Development

Testing

Tests depend on bats (Install bats).

$ cd tests
$ ./run.sh

Cite us!

Paper:

@InProceedings{Oleksenko:2020,
  author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
  title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
  booktitle={29th USENIX Security Symposium (USENIX Security)},
  year={2020}
}

Technical Report:

@Article{Oleksenko:2019,
  author={Oleksenko, Oleksii and Trach, Bohdan and Silberstein, Mark and Fetzer, Christof},
  title={{SpecFuzz: Bringing Spectre-type vulnerabilities to the surface}},
  journal = "",
  archivePrefix = "arXiv",
  eprint = {1905.10311},
  primaryClass = "",
  year = {2019},
}

OleksiiOleksenko / SpecFuzz

readme