### Compile and Install Apache Source: https://github.com/google/honggfuzz/blob/master/examples/apache-httpd/README.md Execute the compilation and installation script for Apache. Ensure the script 'compile_and_install.asan.sh' is updated with correct versions and paths. ```shell ./compile_and_install.asan.sh ``` -------------------------------- ### Compile and Link Persistent File Example Source: https://github.com/google/honggfuzz/blob/master/examples/file/README.md Compile and link the persistent-file example using Honggfuzz's clang compiler. This step includes necessary include paths and links the static libmagic library. ```shell $ honggfuzz/hfuzz_cc/hfuzz-clang -I ./file-5.37/ honggfuzz/examples/file/persistent-file.c -o persistent-file ./file-5.37/src/.libs/libmagic.a -lz ``` -------------------------------- ### Install Dependencies on Linux Source: https://github.com/google/honggfuzz/blob/master/README.md Installs necessary development packages for Honggfuzz on Ubuntu/Debian systems. Ensure you have 'sudo' privileges. ```bash sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang ``` -------------------------------- ### Compiling and Installing ISC Bind Source: https://github.com/google/honggfuzz/blob/master/examples/bind/README.md Configure, compile, and install ISC Bind after editing the compile script. ```shell ./compile.sh make install ``` -------------------------------- ### Fuzz the Persistent File Example Source: https://github.com/google/honggfuzz/blob/master/examples/file/README.md Run Honggfuzz to fuzz the persistent-file executable. Provide input directories and the magic configuration file. ```shell $ honggfuzz/honggfuzz --input inputs/ -- ./persistent-file ./file-5.37/magic/magic.mgc ``` -------------------------------- ### Create initial input corpus Source: https://github.com/google/honggfuzz/blob/master/examples/terminal-emulators/README.md Create a directory and a sample input file to serve as the initial corpus for honggfuzz. This provides a starting point for the fuzzing process. ```bash $ mkdir IN $ echo A >IN/1 ``` -------------------------------- ### HF_ITER Style Fuzzing Example Source: https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md An example of preparing a complete program for HF_ITER style fuzzing. It uses the HF_ITER macro to fetch new inputs from Honggfuzz within an infinite loop. ```c #include extern HF_ITER(uint8_t** buf, size_t* len); int main(void) { for (;;) { size_t len; uint8_t *buf; HF_ITER(&buf, &len); ApiToBeFuzzed(buf, len); } } ``` -------------------------------- ### ASAN-style Fuzzing Example Source: https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md An example implementation of LLVMFuzzerTestOneInput for ASAN-style fuzzing. It calls a hypothetical TestAPI function with the provided buffer and length. ```c int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { TestAPI(buf, len); return 0; } ``` -------------------------------- ### Run Honggfuzz Basic Mode Source: https://github.com/google/honggfuzz/blob/master/README.md Starts a basic fuzzing session. Requires an input directory and the instrumented target binary. '__FILE__' is a placeholder for the input file. ```bash ./honggfuzz -i input_dir/ -- ./my_target ___FILE___ ``` -------------------------------- ### Start Honggfuzz in Socket-Client Mode Source: https://github.com/google/honggfuzz/blob/master/socketfuzzer/README.md Initiates Honggfuzz in socket-client mode, enabling communication with an external fuzzer. Ensure you are in the `~/honggfuzz/test` directory and have created the test directory. ```bash cd ~/honggfuzz mkdir test cd test ../honggfuzz --keep_output --debug --sanitizers --stdin_input --threads 1 --verbose --logfile log.txt --socket_fuzzer -- ../socketfuzzer/vulnserver_cov ``` -------------------------------- ### Typical honggfuzz output log Source: https://github.com/google/honggfuzz/blob/master/examples/terminal-emulators/README.md Example output from a honggfuzz fuzzing session, showing statistics like iterations, runtime, speed, crashes, and coverage. ```text ----------------------------[ honggfuzz v1.0alpha ]--------------------------- Iterations : 4,865,546 [4.87M] Phase : Dynamic Main (2/2) Run Time : 0 hrs 0 min 15 sec Input Dir : [865] 'IN/' Fuzzed Cmd : './xterm -e /home/jagger/src/honggfuzz/examples/terminal-em...' Threads : 4, CPUs: 8, CPU: 733% (91%/CPU) Speed : 320,951/sec (avg: 324,369) Crashes : 0 (unique: 0, blacklist: 0, verified: 0) Timeouts : 0 [10 sec.] Corpus Size : 265, max file size: 1,024 Coverage : bb: 850 cmp: 35,516 -----------------------------------[ LOGS ]----------------------------------- NEW, size:912 (i,b,sw,hw,cmp): 0/0/1/0/1, Tot:0/0/772/0/32216 NEW, size:940 (i,b,sw,hw,cmp): 0/0/1/0/32, Tot:0/0/773/0/32248 NEW, size:919 (i,b,sw,hw,cmp): 0/0/0/0/9, Tot:0/0/773/0/32257 NEW, size:1024 (i,b,sw,hw,cmp): 0/0/0/0/2, Tot:0/0/773/0/32259 NEW, size:1013 (i,b,sw,hw,cmp): 0/0/0/0/1, Tot:0/0/773/0/32260 ... ``` -------------------------------- ### Dictionary Syntax for Fuzzing Source: https://context7.com/google/honggfuzz/llms.txt Example dictionary file format for Honggfuzz, supporting keywords, header values, magic bytes, and numbers. This aids in generating more structured and valid inputs. ```text # my_dict.dict - Dictionary for HTTP fuzzing # Keywords "GET" "POST" "HTTP/1.1" "Content-Length:" "Content-Type:" # Header values "text/html" "application/json" # Magic bytes (hex format) "\x00\x00\x00\x01" "\xff\xd8\xff\xe0" # Numbers "0" "1" "-1" "4294967295" ``` -------------------------------- ### Use GCC Instead of Clang Source: https://context7.com/google/honggfuzz/llms.txt Uses the honggfuzz GCC wrapper for compilation with coverage instrumentation. Ensure GCC is installed and accessible. ```bash hfuzz_cc/hfuzz-gcc -o my_target my_target.c ``` -------------------------------- ### Honggfuzz Output File Naming Convention (POSIX Signal Interface) Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Example of a Honggfuzz output file name when using the POSIX signal interface. ```text SIGSEGV.22758.2010-07-01.17.24.41.tif ``` -------------------------------- ### Fuzz Apache HTTP/1 with honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/apache-httpd/README.md Start fuzzing Apache for HTTP/1. This command uses a corpus directory, a wordlist, and specifies the foreground mode with a custom configuration file. ```shell honggfuzz/honggfuzz -i corpus_http1 -w ./httpd.wordlist -- ./apache2/bin/httpd -DFOREGROUND -f /home/$USER/fuzz/apache/apache2/conf/httpd.conf.h1 ``` -------------------------------- ### Run ASAN-style Fuzzing Source: https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md Command to start Honggfuzz with persistent mode enabled (-P) for the compiled fuzz target. ```shell $ honggfuzz -P -- ./test ``` -------------------------------- ### Launch honggfuzz for terminal emulator fuzzing Source: https://github.com/google/honggfuzz/blob/master/examples/terminal-emulators/README.md Start the honggfuzz process to fuzz the xterm terminal emulator. This command specifies the input directory, the `libclose.so` preload library, and the command to execute. ```bash $ /home/jagger/src/honggfuzz/honggfuzz -z -P -i IN/ -E LD_PRELOAD=/home/jagger/src/honggfuzz/examples/terminal-emulators/libclose.so -- xterm-327/xterm -e /home/jagger/src/honggfuzz/examples/terminal-emulators/terminal-test ``` -------------------------------- ### Honggfuzz Output File Naming Convention (Linux/NetBSD) Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Example of a Honggfuzz output file name generated on Linux or NetBSD systems, indicating crash details. ```text SIGSEGV.PC.4ba1ae.STACK.13599d485.CODE.1.ADDR.0x10.INSTR.mov____0x10(%rbx),%rax.fuzz ``` -------------------------------- ### Compile Fuzzing Target for libjpeg9 Source: https://github.com/google/honggfuzz/blob/master/examples/libjpeg/README.md Compile the persistent-jpeg.c example for libjpeg9, linking against the static libjpeg.a and enabling the address sanitizer. ```shell $ /hfuzz_cc/hfuzz-clang -I ./jpeg-9c/ /examples/libjpeg/persistent-jpeg.c -o persistent.jpeg9.address jpeg-9c/.libs/libjpeg.a -fsanitize=address ``` -------------------------------- ### Start Honggfuzz in Socket Fuzzer Mode Source: https://context7.com/google/honggfuzz/llms.txt Initiates Honggfuzz in socket fuzzer mode, ready to accept connections from an external fuzzer client. The target server is executed after the fuzzer. ```bash honggfuzz --socket_fuzzer --stdin_input --threads 1 \ -- ./target_server ``` -------------------------------- ### Compile Fuzzing Target for libjpeg-turbo Source: https://github.com/google/honggfuzz/blob/master/examples/libjpeg/README.md Compile the persistent-jpeg.c example for libjpeg-turbo, specifying include paths, linking against the static libjpeg.a, and enabling the address sanitizer. ```shell $ /hfuzz_cc/hfuzz-clang -I ./libjpeg-turbo-2.0.3/ -I ./libjpeg-turbo-2.0.3/out/ /examples/libjpeg/persistent-jpeg.c -o persistent.jpeg-turbo.address libjpeg-turbo-2.0.3/out/libjpeg.a -fsanitize=address ``` -------------------------------- ### Editing compile.sh Source: https://github.com/google/honggfuzz/blob/master/examples/bind/README.md Modify the compile.sh script to set the correct installation prefix for ISC Bind. ```shell vim compile.sh # [edit the --prefix] ``` -------------------------------- ### Dictionary Support Source: https://context7.com/google/honggfuzz/llms.txt Enhance fuzzing by providing dictionaries of tokens, keywords, or magic bytes to guide input generation. ```APIDOC ## Dictionary Support ### Using Dictionaries for Smarter Fuzzing Dictionaries help the fuzzer generate valid inputs by providing tokens, keywords, or magic bytes specific to the input format. Format follows libFuzzer dictionary syntax. ``` # my_dict.dict - Dictionary for HTTP fuzzing # Keywords "GET" "POST" "HTTP/1.1" "Content-Length:" "Content-Type:" # Header values "text/html" "application/json" # Magic bytes (hex format) "\x00\x00\x00\x01" "\xff\xd8\xff\xe0" # Numbers "0" "1" "-1" "4294967295" ``` Use dictionary in fuzzing: ```bash # Fuzz with dictionary honggfuzz -i corpus/ -w my_dict.dict -- ./http_parser ___FILE___ # Persistent mode with dictionary honggfuzz -P -w protocols.dict -i corpus/ -- ./protocol_fuzzer ``` ``` -------------------------------- ### Use Dictionary in Fuzzing Source: https://context7.com/google/honggfuzz/llms.txt Command-line options to enable dictionary usage during fuzzing. This helps guide the fuzzer towards valid inputs by providing predefined tokens. ```bash # Fuzz with dictionary honggfuzz -i corpus/ -w my_dict.dict -- ./http_parser ___FILE___ ``` ```bash # Persistent mode with dictionary honggfuzz -P -w protocols.dict -i corpus/ -- ./protocol_fuzzer ``` -------------------------------- ### Intel PT: Track Unique Code Blocks Source: https://context7.com/google/honggfuzz/llms.txt Tracks unique code blocks using Intel Processor Trace. Requires libipt to be installed. Works with uninstrumented binaries. ```bash honggfuzz --linux_perf_ipt_block -i corpus/ -- /usr/bin/target ___FILE___ ``` -------------------------------- ### Hardware-based Mechanisms Fuzzing (Linux Perf) Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Leverages various hardware-based mechanisms on Linux for guided fuzzing, such as BTS, IPT, instruction counting, and branch counting. Use flags like `--linux_perf_bts_edge`, `--linux_perf_ipt_block`, `--linux_perf_instr`, or `--linux_perf_branch`. ```shell honggfuzz -i input_dir --linux_perf_bts_edge -- /usr/bin/djpeg ___FILE___ ``` ```shell honggfuzz -i input_dir --linux_perf_ipt_block -- /usr/bin/djpeg ___FILE___ ``` ```shell honggfuzz -i input_dir --linux_perf_instr -- /usr/bin/djpeg ___FILE___ ``` ```shell honggfuzz -i input_dir --linux_perf_branch -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Build Honggfuzz for All Android CPUs Source: https://github.com/google/honggfuzz/blob/master/docs/Android.md Execute this command from the root directory to build Honggfuzz and its dependencies for all supported Android CPUs. Build output is located in the 'libs' directory. ```bash $ make android-all ``` -------------------------------- ### Run and Enable Sanitizer Integration Source: https://context7.com/google/honggfuzz/llms.txt Run fuzzing with specific sanitizer options or enable Honggfuzz's built-in sanitizer integration using the -S flag. ```bash # Run with sanitizer options ASAN_OPTIONS="abort_on_error=1:detect_leaks=0" \ honggfuzz -i corpus/ -- ./target_asan ___FILE___ ``` ```bash # Enable sanitizer integration in honggfuzz honggfuzz -S -i corpus/ -- ./target_asan ___FILE___ ``` -------------------------------- ### NetDriver Fuzzing Entry Point Source: https://context7.com/google/honggfuzz/llms.txt Defines the main entry point for NetDriver fuzzing, replacing the standard main() function. Initializes and runs the server, with NetDriver handling input. ```c #include #include // Use HFND_FUZZING_ENTRY_FUNCTION macro to define fuzzing entry HFND_FUZZING_ENTRY_FUNCTION(int argc, char **argv) { // This replaces main() for the server // Initialize and run server normally - netdriver handles input return server_main(argc, argv); } ``` -------------------------------- ### Copying Configuration Files Source: https://github.com/google/honggfuzz/blob/master/examples/bind/README.md Copy custom configuration files for named.conf and test.zone to the Bind distribution directory. ```shell cp honggfuzz/examples/bind/named.conf /bind/dist/etc/ cp honggfuzz/examples/bind/test.zone /bind/dist/etc/ ``` -------------------------------- ### Compile and Run LLVMFuzzerTestOneInput Source: https://context7.com/google/honggfuzz/llms.txt Commands to compile the fuzzer with honggfuzz instrumentation and run it in persistent mode. ```bash # Compile with honggfuzz instrumentation hfuzz_cc/hfuzz-clang -o my_fuzzer my_fuzzer.c target_lib.c # Run persistent fuzzing (auto-detected) honggfuzz -i corpus/ -- ./my_fuzzer ``` -------------------------------- ### Compile and Run with Netdriver Source: https://context7.com/google/honggfuzz/llms.txt Compile the server with netdriver support and run fuzzing. Netdriver can be auto-detected or explicitly enabled. ```bash hfuzz_cc/hfuzz-clang -o server_fuzzer server.c ``` ```bash honggfuzz -i corpus/ -- ./server_fuzzer ``` ```bash honggfuzz --netdriver -i corpus/ -- ./server_fuzzer ``` -------------------------------- ### Build Honggfuzz for a Specific Android CPU Source: https://github.com/google/honggfuzz/blob/master/docs/Android.md Use this command to build Honggfuzz for a specific Android CPU architecture. Replace '' with the desired ABI. Dependencies are built automatically. ```bash $ make android ANDROID_APP_ABI= ``` -------------------------------- ### Build Honggfuzz Source: https://github.com/google/honggfuzz/blob/master/README.md Compiles the Honggfuzz project using 'make'. Compiler wrappers will be generated in the 'hfuzz_cc/' directory. ```bash make # Compilation wrappers are created in hfuzz_cc/ ``` -------------------------------- ### Run Honggfuzz in Persistent Mode with Compile-Time Instrumentation Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Combine persistent mode with compile-time instrumentation for comprehensive fuzzing with performance benefits. ```bash honggfuzz -i input_dir -P -- /usr/bin/djpeg_persistent_mode ``` -------------------------------- ### Copy Custom Configuration Files Source: https://github.com/google/honggfuzz/blob/master/examples/apache-httpd/README.md Copy the custom HTTP/1 and HTTP/2 configuration files to the Apache distribution directory. Adjust the destination path as needed. ```shell cp httpd.conf.h1 httpd.conf.h2 /home/$USER/fuzz/apache/apache2/conf/ ``` -------------------------------- ### Run Honggfuzz to Maximize Unique Branches with Intel BTS Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Utilize Intel Branch Trace Store (BTS) to maximize the number of unique branches executed by the target binary. ```bash honggfuzz --linux_perf_bts_edge -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Interactive Socket Fuzzer Client Source: https://github.com/google/honggfuzz/blob/master/socketfuzzer/README.md Starts the socket fuzzer client in interactive mode, which connects to the Honggfuzz socket and sends messages to the target server. This script allows for manual interaction and testing of different message types. ```python python ./honggfuzz_socketclient.py interactive ``` -------------------------------- ### Fuzz x86_64 Binary with QEMU Instrumentation Source: https://context7.com/google/honggfuzz/llms.txt Fuzzes an uninstrumented x86_64 binary using QEMU-based dynamic instrumentation. Useful for closed-source targets. ```bash honggfuzz -i corpus/ -- \ /path/to/honggfuzz/qemu_mode/honggfuzz-qemu/x86_64-linux-user/qemu-x86_64 \ /usr/bin/closed_source_target ___FILE___ ``` -------------------------------- ### Configure and Compile libjpeg(-turbo) Source: https://github.com/google/honggfuzz/blob/master/examples/libjpeg/README.md Use this command to configure and compile libjpeg(-turbo) with honggfuzz's compiler and address sanitizer. ```shell CC=/hfuzz_cc/hfuzz-clang CXX=/hfuzz_cc/hfuzz-clang++ CFLAGS="-fsanitize=address" ./configure make -j$(nproc) ``` -------------------------------- ### Directory Structure of Build Output Source: https://github.com/google/honggfuzz/blob/master/docs/Android.md This command displays the directory structure of the build output for Honggfuzz on Android, showing compiled binaries and libraries for different architectures. ```bash $ tree libs/ ``` -------------------------------- ### Basic Fuzzing - File Input Mode Source: https://context7.com/google/honggfuzz/llms.txt Run honggfuzz against a target binary that accepts file input. The `___FILE___` placeholder is replaced with the path to the current test input. Use `-x` to disable instrumentation for uninstrumented binaries. ```APIDOC ## Basic Fuzzing - File Input Mode ### Description Run honggfuzz against a target binary that accepts file input. The `___FILE___` placeholder is replaced with the path to the current test input. Use `-x` to disable instrumentation for uninstrumented binaries. ### Method Command Line Execution ### Endpoint N/A ### Parameters #### Command Line Arguments - **-i [input_corpus]** (string) - Required - Path to the input corpus directory. - **-x** (flag) - Optional - Disable instrumentation for uninstrumented binaries. - **-t [timeout]** (integer) - Optional - Set timeout in seconds for each input. - **-n [threads]** (integer) - Optional - Set the number of fuzzing threads. - **--crashdir [directory]** (string) - Optional - Save crashes to a specific directory. - **[target_binary]** (string) - Required - The path to the target binary to fuzz. - **___FILE___** (placeholder) - Required - Placeholder for the input file path. - **-s** (flag) - Optional - Use stdin as input instead of a file. ### Request Example ```bash # Basic fuzzing with file input (no instrumentation) honggfuzz -i input_corpus/ -x -- /usr/bin/djpeg ___FILE___ # With compile-time instrumentation (default mode) honggfuzz -i input_corpus/ -- ./instrumented_target ___FILE___ # Fuzzing with stdin input instead of file honggfuzz -i input_corpus/ -s -- ./target_reads_stdin # Set timeout and thread count honggfuzz -i input_corpus/ -t 5 -n 8 -- ./my_target ___FILE___ # Save crashes to specific directory honggfuzz -i input_corpus/ --crashdir ./crashes/ -- ./my_target ___FILE___ ``` ### Response N/A (This command executes the fuzzer and reports findings). ``` -------------------------------- ### Basic Fuzzing with File Input Source: https://context7.com/google/honggfuzz/llms.txt Run honggfuzz against a target that accepts file input. The `___FILE___` placeholder is replaced with the input path. Use `-x` to disable instrumentation for uninstrumented binaries. ```bash # Basic fuzzing with file input (no instrumentation) honggfuzz -i input_corpus/ -x -- /usr/bin/djpeg ___FILE___ # With compile-time instrumentation (default mode) honggfuzz -i input_corpus/ -- ./instrumented_target ___FILE___ # Fuzzing with stdin input instead of file honggfuzz -i input_corpus/ -s -- ./target_reads_stdin # Set timeout and thread count honggfuzz -i input_corpus/ -t 5 -n 8 -- ./my_target ___FILE___ # Save crashes to specific directory honggfuzz -i input_corpus/ --crashdir ./crashes/ -- ./my_target ___FILE___ ``` -------------------------------- ### QEMU Mode with Specific Architecture Source: https://context7.com/google/honggfuzz/llms.txt Fuzzes an uninstrumented binary of a specific architecture (e.g., ARM) using QEMU-based dynamic instrumentation. Requires the appropriate QEMU binary. ```bash honggfuzz -i corpus/ -- \ /path/to/qemu_mode/honggfuzz-qemu/arm-linux-user/qemu-arm \ ./arm_binary ___FILE___ ``` -------------------------------- ### Combine Multiple Coverage Sources Source: https://context7.com/google/honggfuzz/llms.txt Combines Intel BTS edge coverage and instruction counting for comprehensive analysis. Works with uninstrumented binaries. ```bash honggfuzz --linux_perf_bts_edge --linux_perf_instr -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### Run Honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/glibc/README.md Execute Honggfuzz with the compiled target program. Specify an input directory (-i IN/) and enable persistent mode (-P). ```shell ~/src/honggfuzz/honggfuzz -i IN/ -P -- ./resolver ``` -------------------------------- ### Run Honggfuzz to Maximize Branches with Linux Perf Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Leverage Linux performance counters to maximize the total number of branches taken by the target binary. ```bash honggfuzz --linux_perf_branch -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Run Fuzzing with libjpeg-turbo Target Source: https://github.com/google/honggfuzz/blob/master/examples/libjpeg/README.md Initiate honggfuzz with the libjpeg-turbo fuzzing target, providing an initial corpus and setting a resident set limit. ```shell $ honggfuzz -i initial_corpus --rlimit_rss 2048 -- ./persistent.jpeg-turbo.address ``` -------------------------------- ### Run Honggfuzz with Compile-Time Instrumentation Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Utilize this command to enable compile-time instrumentation for enhanced coverage analysis during fuzzing. ```bash honggfuzz -i input_dir -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Configure OpenSSL for honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/openssl/README.md Configure the OpenSSL build with honggfuzz support. Options include enabling AddressSanitizer (asan), MemorySanitizer (msan), or UndefinedBehaviorSanitizer (ubsan). ```shell $ cd openssl-master $ /examples/openssl/compile_hfuzz_openssl_master.sh [enable-asan|enable-msan|enable-ubsan] ``` -------------------------------- ### Non-persistent Fuzzing with Input as File Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Use this command for non-persistent fuzzing when the input should be provided as a file. The `___FILE___` placeholder indicates where the input file will be placed. ```shell honggfuzz -i input_dir -x -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Enable Core Dumps Source: https://context7.com/google/honggfuzz/llms.txt Enables core dumps with a specified limit, useful for post-mortem crash analysis. The limit is in pages. ```bash honggfuzz --rlimit_core 100 -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### Clone OpenSSL Repository Source: https://github.com/google/honggfuzz/blob/master/examples/openssl/README.md Clone the OpenSSL repository to prepare for fuzzing. Ensure you use --depth=1 for a shallow clone. ```shell $ git clone --depth=1 https://github.com/openssl/openssl.git $ mv openssl openssl-master ``` -------------------------------- ### Run Honggfuzz to Maximize Unique Code Blocks with Intel PT Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Employ Intel Processor Trace (PT) to maximize the number of unique code blocks executed by the target binary. Requires libipt.so. ```bash honggfuzz --linux_perf_ipt_block -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Run Honggfuzz Persistent Mode Source: https://github.com/google/honggfuzz/blob/master/README.md Executes Honggfuzz in persistent mode for faster fuzzing by testing APIs directly in-process. Requires an input directory and the instrumented target binary. ```bash ./honggfuzz -P -i input_dir/ -- ./my_target ``` -------------------------------- ### LLVMFuzzerTestOneInput - Main Fuzzing Entry Point Source: https://context7.com/google/honggfuzz/llms.txt The primary API for persistent-mode fuzzing, compatible with libFuzzer. Implement this function to receive fuzzed input data, process it, and return 0 on success. The function is called repeatedly by the fuzzer with mutated inputs. ```APIDOC ## LLVMFuzzerTestOneInput - Main Fuzzing Entry Point ### Description The primary API for persistent-mode fuzzing follows the libFuzzer-compatible interface. Implement this function to receive fuzzed input data, process it through your target code, and return 0 on success. The function is called repeatedly by the fuzzer with mutated inputs. ### Method C Function Call ### Endpoint N/A (Internal API) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```c #include #include #include // Main fuzzing entry point - receives mutated data from honggfuzz int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { // Example: fuzzing a parser function if (len < 4) { return 0; // Input too small, skip } // Create null-terminated copy for string-based APIs char *input = malloc(len + 1); if (!input) return 0; memcpy(input, buf, len); input[len] = '\0'; // Call the target function under test parse_input(input, len); free(input); return 0; // Must return 0 } // Optional: Initialize fuzzer state once at startup int LLVMFuzzerInitialize(int *argc, char ***argv) { // Setup logging, load configs, initialize libraries init_target_library(); return 0; } ``` ### Response #### Success Response (0) Returns 0 on success. #### Response Example ``` 0 ``` ### Compilation and Execution ```bash # Compile with honggfuzz instrumentation hfuzz_cc/hfuzz-clang -o my_fuzzer my_fuzzer.c target_lib.c # Run persistent fuzzing (auto-detected) honggfuzz -i corpus/ -- ./my_fuzzer ``` ``` -------------------------------- ### Prepare glibc Wrappers Source: https://github.com/google/honggfuzz/blob/master/examples/glibc/README.md Compile glibc wrapper functions. Ensure you have gcc-6 or gcc-8 (for cmp instrumentation) and a modern glibc version (e.g., 2.26). ```shell gcc -c ~/src/honggfuzz/examples/glibc/wrappers.c -o /tmp/wrappers.o cd ~/src/glibc-2.26 mkdir build && cd build CC="gcc-8 -Wl,/tmp/wrappers.o" CFLAGS="-fsanitize-coverage=trace-pc,trace-cmp -O3 -fno-omit-frame-pointer -ggdb -Wno-error" ../configure --prefix=/usr --without-cvs --enable-add-ons=libidn --without-selinux --enable-stackguard-randomization --enable-obsolete-rpc --disable-sanity-checks make -j$(nproc) lib ``` -------------------------------- ### Advanced Configuration Source: https://context7.com/google/honggfuzz/llms.txt Configure resource limits and timeouts for fuzzing processes to manage resource consumption and ensure stability. ```APIDOC ## Advanced Configuration ### Resource Limits and Timeouts Control resource usage to prevent runaway processes and ensure consistent fuzzing behavior. ```bash # Set per-process timeout (seconds) honggfuzz -t 10 -i corpus/ -- ./slow_target ___FILE___ # Limit address space (MiB) honggfuzz --rlimit_as 2048 -i corpus/ -- ./memory_hungry ___FILE___ # Limit RSS memory (MiB) - also sets sanitizer soft_rss_limit_mb honggfuzz --rlimit_rss 512 -i corpus/ -- ./target ___FILE___ ``` ``` -------------------------------- ### QEMU-mode Fuzzing Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Utilizes QEMU for black-box instrumentation. This mode requires specifying the QEMU binary path. ```shell honggfuzz -i input_dir -- /qemu_mode/honggfuzz-qemu/x86_64-linux-user/qemu-x86_64 /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### NetDriver Optional: Provide Temporary Directory Path Source: https://context7.com/google/honggfuzz/llms.txt Optionally provides a path for a temporary directory to be used by the fuzzer or server. This function should populate the provided string buffer. ```c // Optional: Provide temporary directory path int HonggfuzzNetDriverTempdir(char *str, size_t size) { snprintf(str, size, "/tmp/my_fuzzer_temp"); return 0; } ``` -------------------------------- ### Compile libmagic with Honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/file/README.md Compile the file/libmagic library using Honggfuzz's compiler. Ensure you are in the file-5.37 directory before running. ```shell $ cd file-5.37/ $ CC="honggfuzz/hfuzz_cc/hfuzz-clang" ./configure --enable-static --disable-shared $ make -j$(nproc) ``` -------------------------------- ### Persistent-mode Fuzzing with Combined Mechanisms Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Demonstrates using persistent-mode fuzzing with multiple hardware-based mechanisms combined, such as BTS and instruction counting. ```shell honggfuzz -i input_dir --linux_perf_bts_edge --linux_perf_instr -P -- jpeg_persistent_mode ``` -------------------------------- ### Run Fuzzing with libjpeg9 Target Source: https://github.com/google/honggfuzz/blob/master/examples/libjpeg/README.md Initiate honggfuzz with the libjpeg9 fuzzing target, providing an initial corpus and setting a resident set limit. ```shell $ honggfuzz -i initial_corpus --rlimit_rss 2048 -- ./persistent.jpeg9.address ``` -------------------------------- ### Combined Instrumentation Modes Source: https://context7.com/google/honggfuzz/llms.txt Combines Intel BTS edge coverage and instruction count with persistent mode. Requires a persistent target binary. ```bash honggfuzz --linux_perf_bts_edge --linux_perf_instr -P -- ./persistent_target ``` -------------------------------- ### Compile libclose.so and terminal-test Source: https://github.com/google/honggfuzz/blob/master/examples/terminal-emulators/README.md Compile the necessary helper binaries for fuzzing terminal emulators. `libclose.so` prevents honggfuzz file descriptors from being closed, and `terminal-test` interacts with the fuzzed emulator. ```bash $ cd /home/jagger/src/honggfuzz/examples/terminal-emulators/ $ make ../../hfuzz_cc/hfuzz-clang -std=c99 -o terminal-test terminal-test.c cc -std=c99 -shared -o libclose.so libclose.c ``` -------------------------------- ### Run honggfuzz for OpenSSL Source: https://github.com/google/honggfuzz/blob/master/examples/openssl/README.md Execute honggfuzz with a corpus directory and the compiled OpenSSL fuzzing binary. This command initiates the fuzzing process for different OpenSSL components. ```shell $ /honggfuzz --input corpus_server/ -- ./openssl-master.address.server ``` ```shell $ /honggfuzz --input corpus_client/ -- ./openssl-master.address.client ``` ```shell $ /honggfuzz --input corpus_x509/ -- ./openssl-master.address.x509 ``` ```shell $ /honggfuzz --input corpus_privkey/ -- ./openssl-master.address.privkey ``` -------------------------------- ### Configure Resource Limits Source: https://context7.com/google/honggfuzz/llms.txt Set resource limits for fuzzing processes, including per-process timeout, address space limit, and RSS memory limit. ```bash # Set per-process timeout (seconds) honggfuzz -t 10 -i corpus/ -- ./slow_target ___FILE___ ``` ```bash # Limit address space (MiB) honggfuzz --rlimit_as 2048 -i corpus/ -- ./memory_hungry ___FILE___ ``` ```bash # Limit RSS memory (MiB) - also sets sanitizer soft_rss_limit_mb honggfuzz --rlimit_rss 512 -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### Running honggfuzz on ISC Bind Source: https://github.com/google/honggfuzz/blob/master/examples/bind/README.md Initiate the fuzzing process for ISC Bind using honggfuzz with specified input corpus and configuration. ```shell /honggfuzz -i input_corpus -- ./dist/sbin/named -c /bind/dist/etc/named.conf -g ``` -------------------------------- ### Compile C Target with Instrumentation Source: https://github.com/google/honggfuzz/blob/master/README.md Uses the Honggfuzz clang wrapper to compile C code with necessary instrumentation for fuzzing. The output binary is named 'my_target'. ```bash ./hfuzz_cc/hfuzz-clang -o my_target my_target.c ``` -------------------------------- ### Compile with Address Sanitizer Source: https://context7.com/google/honggfuzz/llms.txt Compiles C code with both honggfuzz instrumentation and AddressSanitizer enabled. Requires HFUZZ_CC_ASAN=1 environment variable. ```bash HFUZZ_CC_ASAN=1 hfuzz_cc/hfuzz-clang -o my_target my_target.c ``` -------------------------------- ### Compile OpenSSL Source: https://github.com/google/honggfuzz/blob/master/examples/openssl/README.md Compile the configured OpenSSL project using make with parallel jobs enabled for faster compilation. ```shell $ make -j$(nproc) ``` -------------------------------- ### Combine Multiple Sanitizers Source: https://context7.com/google/honggfuzz/llms.txt Compiles C code with honggfuzz instrumentation and multiple sanitizers (AddressSanitizer and UndefinedBehaviorSanitizer) enabled. Requires corresponding environment variables. ```bash HFUZZ_CC_ASAN=1 HFUZZ_CC_UBSAN=1 hfuzz_cc/hfuzz-clang -o my_target my_target.c ``` -------------------------------- ### Autotools Project Compilation Source: https://context7.com/google/honggfuzz/llms.txt Configures and builds an autotools project using honggfuzz compiler wrappers for instrumentation. Sets CC and CXX environment variables. ```bash CC=/path/to/honggfuzz/hfuzz_cc/hfuzz-clang \ CXX=/path/to/honggfuzz/hfuzz_cc/hfuzz-clang++ \ ./configure --prefix=/opt/target make -j$(nproc) ``` -------------------------------- ### LLVMFuzzerTestOneInput - Main Fuzzing Entry Point Source: https://context7.com/google/honggfuzz/llms.txt Implement this function for persistent-mode fuzzing. It receives mutated data and should return 0 on success. Ensure proper memory management for any allocated buffers. ```c #include #include #include // Main fuzzing entry point - receives mutated data from honggfuzz int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { // Example: fuzzing a parser function if (len < 4) { return 0; // Input too small, skip } // Create null-terminated copy for string-based APIs char *input = malloc(len + 1); if (!input) return 0; memcpy(input, buf, len); input[len] = '\0'; // Call the target function under test parse_input(input, len); free(input); return 0; // Must return 0 } // Optional: Initialize fuzzer state once at startup int LLVMFuzzerInitialize(int *argc, char ***argv) { // Setup logging, load configs, initialize libraries init_target_library(); return 0; } ``` -------------------------------- ### Fuzz with Intel BTS edge counting Source: https://github.com/google/honggfuzz/blob/master/docs/FeedbackDrivenFuzzing.md Utilize Intel's Branch Trace Store (BTS) to count unique branch pairs (edges) for feedback-driven fuzzing on supported Intel CPUs. ```shell $ /honggfuzz --linux_perf_bts_edge -i input_corpus -- /usr/bin/xmllint -format ___FILE___ ``` -------------------------------- ### Fuzz Apache HTTP/2 with honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/apache-httpd/README.md Initiate fuzzing for Apache with HTTP/2 support. This command is similar to HTTP/1 fuzzing but uses a different configuration file for HTTP/2. ```shell $honggfuzz/honggfuzz -i corpus_http2 -w ./httpd.wordlist -- ./apache2/bin/httpd -DFOREGROUND -f /home/$USER/fuzz/apache/apache2/conf/httpd.conf.h2 ``` -------------------------------- ### Compile and Run HF_ITER Source: https://context7.com/google/honggfuzz/llms.txt Commands to compile a target using HF_ITER with honggfuzz instrumentation and run it in persistent mode. ```bash # Compile with instrumentation hfuzz_cc/hfuzz-clang -o packet_fuzzer packet_fuzzer.c # Run with persistent mode flag honggfuzz -P -i corpus/ -- ./packet_fuzzer ``` -------------------------------- ### Prepare Fuzzing Binaries Source: https://github.com/google/honggfuzz/blob/master/examples/openssl/README.md Compile honggfuzz and libFuzzer binaries for OpenSSL fuzzing. Specify the OpenSSL directory and the desired sanitizer type (address, memory, or undefined). ```shell $ cd .. $ /examples/openssl/make.sh openssl-master address ``` -------------------------------- ### Run Honggfuzz to Maximize Instructions with Linux Perf Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md This command uses Linux performance counters to maximize the total number of instructions executed by the target binary. ```bash honggfuzz --linux_perf_instr -- /usr/bin/djpeg ___FILE___ ``` -------------------------------- ### Run Honggfuzz in Persistent Mode without Instrumentation Source: https://github.com/google/honggfuzz/blob/master/docs/USAGE.md Execute honggfuzz in persistent mode without any instrumentation, suitable for performance-critical fuzzing scenarios. ```bash honggfuzz -i input_dir -P -x -- /usr/bin/djpeg_persistent_mode ``` -------------------------------- ### Specify Workspace Directory Source: https://context7.com/google/honggfuzz/llms.txt Defines a specific directory to be used as the workspace for honggfuzz. This can help organize fuzzing outputs and states. ```bash honggfuzz -W ./workspace/ -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### Compile C Code with Instrumentation Source: https://context7.com/google/honggfuzz/llms.txt Compiles C code using the honggfuzz clang wrapper to automatically add coverage instrumentation and link the fuzzing runtime. ```bash hfuzz_cc/hfuzz-clang -o my_target my_target.c ``` -------------------------------- ### CMake Project Compilation Source: https://context7.com/google/honggfuzz/llms.txt Builds a CMake project using honggfuzz compiler wrappers for instrumentation. Sets CC and CXX environment variables and uses a separate build directory. ```bash mkdir build && cd build CC=/path/to/honggfuzz/hfuzz_cc/hfuzz-clang \ CXX=/path/to/honggfuzz/hfuzz_cc/hfuzz-clang++ \ cmake -DCMAKE_BUILD_TYPE=Release .. make -j$(nproc) ``` -------------------------------- ### Enable Linux Namespace Isolation Source: https://context7.com/google/honggfuzz/llms.txt Command-line options to enable various Linux namespace isolations for Honggfuzz. Multiple namespace types can be combined. ```bash # Network namespace isolation honggfuzz --linux_ns_net -i corpus/ -- ./network_target ___FILE___ ``` ```bash # PID namespace isolation honggfuzz --linux_ns_pid -i corpus/ -- ./target ___FILE___ ``` ```bash # IPC namespace isolation honggfuzz --linux_ns_ipc -i corpus/ -- ./target ___FILE___ ``` ```bash # Combined isolation honggfuzz --linux_ns_net --linux_ns_pid --linux_ns_ipc \ -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### CMake Project Compilation with Sanitizers Source: https://context7.com/google/honggfuzz/llms.txt Builds a CMake project with honggfuzz instrumentation and AddressSanitizer enabled. Sets CC, CXX, and HFUZZ_CC_ASAN environment variables. ```bash CC=/path/to/honggfuzz/hfuzz_cc/hfuzz-clang \ HFUZZ_CC_ASAN=1 \ ./configure && make ``` -------------------------------- ### Compile with Memory Sanitizer Source: https://context7.com/google/honggfuzz/llms.txt Compiles C code with both honggfuzz instrumentation and MemorySanitizer enabled. Requires HFUZZ_CC_MSAN=1 environment variable. ```bash HFUZZ_CC_MSAN=1 hfuzz_cc/hfuzz-clang -o my_target my_target.c ``` -------------------------------- ### Compile C++ Target with Instrumentation Source: https://github.com/google/honggfuzz/blob/master/README.md Uses the Honggfuzz clang++ wrapper to compile C++ code with necessary instrumentation for fuzzing. The output binary is named 'my_target'. ```bash ./hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp ``` -------------------------------- ### Automated Test Script Execution Source: https://github.com/google/honggfuzz/blob/master/socketfuzzer/README.md Runs an automated test suite using `unittest.sh` to verify the functionality of the Honggfuzz socket client and the `vulnserver_cov`. This script performs a series of tests, including sending various messages and checking for expected responses and crash notifications. ```bash ./unittest.sh ``` -------------------------------- ### Exit Immediately on First Crash Source: https://context7.com/google/honggfuzz/llms.txt Configures honggfuzz to terminate immediately upon discovering the first crash. This is useful for quickly identifying a single vulnerability without further fuzzing. ```bash honggfuzz --exit_upon_crash -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### ASAN-style LLVMFuzzerTestOneInput Signature Source: https://github.com/google/honggfuzz/blob/master/docs/PersistentFuzzing.md Defines the signature for the ASAN-style fuzzing entry point. This function is called by Honggfuzz for each test case. ```c int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) ``` -------------------------------- ### Compile Target Code with Honggfuzz Source: https://github.com/google/honggfuzz/blob/master/examples/glibc/README.md Compile your target C/C++ program using Honggfuzz's compiler wrapper (hfuzz-gcc). This command links necessary Honggfuzz libraries and glibc components statically. ```shell ~/src/honggfuzz/hfuzz-cc/hfuzz-gcc -Wl,-z,muldefs -nodefaultlibs -I ~/src/honggfuzz/ ~/src/honggfuzz/examples/glibc/resolver.c -o resolver -L ~/src/glibc-2.26/build -L ~/src/glibc-2.26/build/nptl -L ~/src/glibc-2.26/rt -L ~/src/glibc-2.26/build/resolv ~/src/honggfuzz/libhfuzz/libhfuzz.a -lc -static -lgcc -lpthread -lgcc_eh -lc ``` -------------------------------- ### Persistent Mode with Intel Processor Trace Source: https://context7.com/google/honggfuzz/llms.txt Enables persistent mode fuzzing with Intel Processor Trace for block coverage. Requires a persistent target binary. ```bash honggfuzz -P --linux_perf_ipt_block -i corpus/ -- ./persistent_target ``` -------------------------------- ### Sanitizer Integration Source: https://context7.com/google/honggfuzz/llms.txt Integrate AddressSanitizer, MemorySanitizer, and UndefinedBehaviorSanitizer to detect runtime errors during fuzzing. ```APIDOC ## Sanitizer Integration ### Using Address/Memory/UB Sanitizers Sanitizers detect memory errors, undefined behavior, and other bugs at runtime. Enable via environment variables when compiling. ```bash # Compile with AddressSanitizer (heap/stack buffer overflows, use-after-free) HFUZZ_CC_ASAN=1 hfuzz_cc/hfuzz-clang -o target_asan target.c # Compile with MemorySanitizer (uninitialized memory reads) HFUZZ_CC_MSAN=1 hfuzz_cc/hfuzz-clang -o target_msan target.c # Compile with UndefinedBehaviorSanitizer HFUZZ_CC_UBSAN=1 hfuzz_cc/hfuzz-clang -o target_ubsan target.c # Run with sanitizer options ASAN_OPTIONS="abort_on_error=1:detect_leaks=0" \ honggfuzz -i corpus/ -- ./target_asan ___FILE___ # Enable sanitizer integration in honggfuzz honggfuzz -S -i corpus/ -- ./target_asan ___FILE___ ``` ``` -------------------------------- ### Fuzz with Intel PT block counting Source: https://github.com/google/honggfuzz/blob/master/docs/FeedbackDrivenFuzzing.md Employ Intel's Processor Trace (PT) subsystem for faster, though potentially less precise, unique branch point counting. ```shell $ /honggfuzz --linux_perf_ipt_block -i input_corpus -- /usr/bin/xmllint -format ___FILE___ ``` -------------------------------- ### Instrument xterm with ASAN enabled Source: https://github.com/google/honggfuzz/blob/master/examples/terminal-emulators/README.md Compile xterm with both honggfuzz instrumentation and AddressSanitizer (ASAN) enabled. This provides enhanced memory error detection during fuzzing. ```bash $ cd xterm-327 $ HFUZZ_CC_ASAN=1 CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC ./configure ... ... $ HFUZZ_CC_ASAN=1 CC=/home/jagger/src/honggfuzz/hfuzz_cc/hfuzz-clang CXX=$CC make -j4 ``` -------------------------------- ### Compile C++ Code with Instrumentation Source: https://context7.com/google/honggfuzz/llms.txt Compiles C++ code using the honggfuzz clang++ wrapper to automatically add coverage instrumentation and link the fuzzing runtime. ```bash hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp ``` -------------------------------- ### Linux Namespace API for Isolated Fuzzing Source: https://context7.com/google/honggfuzz/llms.txt C functions for entering Linux namespaces (network, PID, IPC) and configuring interfaces/mounts within them. These are typically called automatically by Honggfuzz. ```c #include #include // Enter network namespace for isolated networking bool linuxEnterNs(uintptr_t cloneFlags) { // Called automatically by honggfuzz with appropriate flags // cloneFlags: CLONE_NEWNET, CLONE_NEWPID, CLONE_NEWIPC, etc. return true; } // Bring up loopback interface in network namespace bool linuxIfaceUp(const char *ifacename) { // Typically called with "lo" for loopback return configure_interface(ifacename); } // Mount tmpfs for temporary files bool linuxMountTmpfs(const char *dst, const char *opts) { // Mount point and options (e.g., "size=64M") return mount_tmpfs(dst, opts); } ``` -------------------------------- ### Compile vulnserver_cov with hfuzz-gcc Source: https://github.com/google/honggfuzz/blob/master/socketfuzzer/README.md Compile the test server `vulnserver_cov` using the `hfuzz-gcc` compiler. This is a prerequisite for running the socket client tests. ```bash ~/honggfuzz/hfuzz_cc/hfuzz-gcc vulnserver_cov.c -O0 -o vulnserver_cov ``` -------------------------------- ### Compile with Sanitizers Source: https://context7.com/google/honggfuzz/llms.txt Compile target code with AddressSanitizer (ASan), MemorySanitizer (MSan), or UndefinedBehaviorSanitizer (UBSan) using environment variables with hfuzz-clang. ```bash # Compile with AddressSanitizer (heap/stack buffer overflows, use-after-free) HFUZZ_CC_ASAN=1 hfuzz_cc/hfuzz-clang -o target_asan target.c ``` ```bash # Compile with MemorySanitizer (uninitialized memory reads) HFUZZ_CC_MSAN=1 hfuzz_cc/hfuzz-clang -o target_msan target.c ``` ```bash # Compile with UndefinedBehaviorSanitizer HFUZZ_CC_UBSAN=1 hfuzz_cc/hfuzz-clang -o target_ubsan target.c ``` -------------------------------- ### Set Maximum Input File Size Source: https://context7.com/google/honggfuzz/llms.txt Specifies the maximum size of input files that honggfuzz will process, in bytes. This helps prevent excessive memory consumption with large inputs. ```bash honggfuzz -F 1048576 -i corpus/ -- ./target ___FILE___ ``` -------------------------------- ### Intel BTS: Track Unique Edge Coverage Source: https://context7.com/google/honggfuzz/llms.txt Tracks unique edge coverage (branch pairs) using Intel Branch Trace Store. Works with uninstrumented binaries. ```bash honggfuzz --linux_perf_bts_edge -i corpus/ -- /usr/bin/target ___FILE___ ```