advanced
Language Guides Overview¶
Welcome to the Mayhem Language Guides!
Need some examples on how to get started security testing for your specific language? Check out the following guides on how to compile and test targets for specific programming language and analysis tool combinations.
C/C++ ¶
Considered a "base" language whose influence is considered to be the foundation for many newer languages and lower level programs, the C language is a cross-platform procedural programming language developed in the early 1970s with C++ developed as an extension in the early 1980s to provide object-oriented programming paradigms. C++ has become a superset to the C language and any valid C program is also a valid C++ program.
C/C++ allows developers to manage how they want their programs managing memory, and therefore is a good candidate for Mayhem to look for memory safety issues such as memory leaks.
Mayhem can fuzz the following C/C++ targets:
- Base-Executable: Standalone C/C++ targets compiled without any instrumentation.
- AFL / AFL++: C/C++ targets compiled with AFl/AFL++ instrumentation.
- Honggfuzz: C/C++ targets compiled with Honggfuzz instrumentation.
- LibFuzzer: C/C+ targets compiled with libFuzzer instrumentation.
Go ¶
Go, or Golang, is an open-source statically typed programming language that, like C/C++, is compiled to produce fast and efficient machine code binaries. Go is often known as the "C for the twenty-first century," offering similar characteristics such as dynamic memory allocation, concurrency, and (nearly as fast as C) performance, but with the simplicity and compactness of a more modern language like Python!
Mayhem has an ability to auto-detect native Golang targets and set an environment variable in the Mayhemfile
which instructs the Mayhem on how to handle Golang exceptions.
Mayhem can fuzz the following Go targets:
- Base-Executable: Standalone Go targets compiled without any instrumentation.
- Go-Fuzz Go targets compiled with Go-Fuzz instrumentation.
Rust ¶
Rust is a high performance, safe, general purpose programming language inspired from C syntax and heavily influenced by the ML family of languages such as Ocaml and Haskell. Rust provides a Rust Fuzz Book that is a nice resource for learning how to generate AFL and libFuzzer targets for Rust using cargo.
Mayhem can fuzz the following Rust targets:
- Base-Executable: Standalone Rust targets compiled without any instrumentation.
- AFL: Rust targets compiled with AFL instrumentation.
- Cargo-Fuzz: Rust targets compiled with cargo-fuzz instrumentation.
Java ¶
Java is a general-purpose, class-based, object-oriented programming language designed for minimizing implementation dependencies. In particular, application developers can write once, run anywhere in which compiled Java code can run on all platforms that support Java without the need for recompilation. As a result, Java has been a widely popular language since its release in 1996.
Mayhem can fuzz the following Java targets:
- Base-Executable: Standalone Java targets compiled without any instrumentation.
- LibFuzzer (Jazzer) Java targets with libFuzzer instrumentation using the Jazzer fuzzer engine, which is a coverage-guided Java fuzzer based off of the libFuzzer engine.
Python ¶
Python is an interpreted, object-oriented, high-level programming language with dynamic semantics. Its high-level built in data structures, combined with dynamic typing and dynamic binding, make it attractive for Rapid Application Development, as well as for use as a scripting or glue language to connect existing components together. As a result, Python's ease-to-use-syntax and increasing modularity has made it a widely popular language in recent years.
Mayhem can fuzz the following Python targets:
- LibFuzzer (Atheris): Python targets with libFuzzer instrumentation using the Atheris fuzzer engine, which is a coverage-guided Python fuzzer based off of the libFuzzer engine.
Ada ¶
Ada is a general-purpose, statically typed object-oriented programming language originally sponsored by the US Department of Defense in the 1970s as a way to standardize the more than 450 programming languages that were used at the time to implement different DoD projects. Specifically, Ada specializes as a high-level language for embedded systems in which computer hardware systems contain software embedded within them. Ada has many of the same features at C or C++, but emphasizes strong type-safety checking through the use of its compiler to find errors early rather than during runtime.
Today, Ada is not only used to write programs for military hardware, but also commercial projects like avionics and air-traffic control systems where reliability is of the utmost importance.
Mayhem can fuzz the following Ada targets:
- Base-Executable: Standalone Ada targets compiled without any instrumentation.