Honggfuzz is capable of fuzzing APIs, which is to say; to test new data within the same process. This speeds-up the process of fuzzing APIs greatly
One can prepare a binary in the two following ways:
Two functions must be prepared
and (optional)
Example (test.c): int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) { TestAPI(buf, len); return 0; }
Compilation: $ hfuzz_cc/hfuzz_clang test.c -o test
Execution: $ honggfuzz -P -- ./test
A complete program needs to be prepared, using HF_ITER symbol to obtain new inputs
Example (test.c):
```c
extern HF_ITER(uint8_t** buf, size_t* len);
int main(void) {
for (;;) {
size_t len;
uint8_t *buf;
HF_ITER(&buf, &len);
TestAPI(buf, len);
}
}
```
Compilation: $ hfuzz_cc/hfuzz_clang test.c -o test ~/honggfuzz/libfuzz/libfuzz.a
Execution: $ honggfuzz -P -- ./test
The persistent fuzzing can be easily used together with feedback-driven fuzzing. In order to achieve that, one needs to compile binary with compile-time instrumentation, or use hardware-based instrumentation (BTS, Intel PT). More can be found in this document
Example (compile-time) $ honggfuzz -P -z -- ./test
Example (hardware-based) $ honggfuzz -P --linux_perf_bts_edge -- ./test $ honggfuzz -P --linux_perf_ipt_block -- ./test