Target Support Matrix

Mayhem combines multiple analysis techniques, including fuzz testing and symbolic execution to maximize code coverage when testing binary executables (Mayhem targets). Mayhem supports instrumented and un-instrumented targets across a variety of architectures, operating systems and languages.

Here we will detail the technical specifications for targets supported by Mayhem and the system requirements for using Mayhem.

Overview

Mayhem analysis supports the following:

• Base-executable Targets: Binary executables compiled without special compilation options or modifications (i.e. uninstrumented).
• Instrumented Targets: Binary executables compiled with instrumentation using fuzzers such as AFL, libFuzzer, or honggfuzz.
• Triage & Diagnosis: The process of identifying defects in targets triggered by test cases input via fuzzing.

Base-executable Windows Targets

Mayhem analyzes unmodified Linux or Windows binary targets (machine code) that are runnable within user-space and take inputs from a single file descriptor or TCP/UDP socket.

Base-executable Target Support
Architectures	x86_64, x86, ARM (ARMv4t through ARMv8), MIPS, PowerPC
Reads from	stdin, file, TCP, UDP, Unix domain sockets
Defects	Mayhem detects when a test case triggers a defect arising from: assert violations memory safety violations uncaught unix signals See the Triage & Diagnosis section for a list of CWE (Common Weakness Enumeration) defect types Mayhem finds.
Special Support	Mayhem auto-detects targets written in Golang and Rust to find unhandled panics.

Instrumented Targets

Mayhem supports existing instrumentation created with AFL/AFL++, honggfuzz, and libFuzzer. Mayhem supports Windows targets instrumented with libFuzzer as well. Languages supported by these fuzzers include clang-supported languages, Golang, and Rust.

Info

The minimum supported libFuzzer version required by Mayhem is LLVM 5.0.

Instrumented Target Support
Architectures	x86_64, x86
Fuzzer	Base-executable3	AFL/AFL++4	honggfuzz5	libFuzzer6
dictionary	✓	✓7	✓	✓
max_length	✓	✓	✓	✓
sanitizers	✓	✓	✓	✓

Triage & Diagnosis

All test cases discovered by Mayhem go through a triaging phase.

Basic Triage

Basic Triage always runs on a target. It ensures reported defects are reproducible and attaches metadata such as a stack trace, disassembly, signal number and crash type to each defect. Mayhem is also able to recognize many common crash types and attach a CWE (Common Weakness Enumeration) number, if applicable.

CWEs detected by Basic Triage:

• CWE-20: Improper Input Validation
• CWE-125: Out-of-bounds Read
• CWE-369: Divide By Zero
• CWE-476: NULL Pointer Dereference
• CWE-763: Release of Invalid Pointer or Reference
• CWE-787: Out-of-bounds Write
• CWE-913: Improper Control of Dynamically-Managed Code Resources

Advanced Triage

Advanced Triage, when enabled, runs additional analysis to find defects that do not raise a UNIX signal, such as memory leaks or using an uninitialized variable.

In order to support Advanced Triage, a target must be linked against glibc. Targets that link against other libc variants (or no libc at all) are not supported. In addition, Advanced Triage requires a target that has no instrumentation.

Advanced Triage Support
Architectures	Support
x86_64, x86	✓
ARM
MIPS
PowerPC

CWEs detected by Advanced Triage (In addition to Basic Triage):

• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-131: Incorrect Calculation of Buffer Size
• CWE-401: Failure to Release Memory Before Removing Last Reference ('Memory Leak')
• CWE-457: Use of Uninitialized Variable
• CWE-590: Free of Memory not on the Heap
• CWE-704: Incorrect Type Conversion or Cast

Important

Make sure the advanced_triage option for the Mayhemfile is set to true.

Sanitizers

Sanitizers (such as ASAN) can be added to a program at compile time. They add checks that allow Mayhem to detect many more kinds of defects including defects that may not result in an immediate crash.

Mayhem works with targets compiled with the ASAN, UBSAN, LSAN, and MSAN sanitizer flags.

Note

MSAN sanitizer targets may allocate memory at ranges not permitted by our memory sandbox. If you are affected by such an issue and are unable to move the memory allocation, please reach out to support@forallsecure.com.

CWEs detected by Sanitizers (In addition to Basic Triage):

• CWE-115: Misinterpretation of Input
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-121: Stack-based Buffer Overflow
• CWE-122: Heap-based Buffer Overflow
• CWE-129: Improper Validation of Array Index
• CWE-131: Incorrect Calculation of Buffer Size
• CWE-188: Reliance on Data/Memory Layout
• CWE-190: Integer Overflow or Wraparound
• CWE-197: Numeric Truncation Error
• CWE-233: Improper Handling of Parameters
• CWE-393: Return of Wrong Status Code
• CWE-400: Uncontrolled Resource Consumption
• CWE-415: Double Free
• CWE-416: Use After Free
• CWE-457: Use of Uninitialized Variable
• CWE-469: Use of Pointer Subtraction to Determine Size
• CWE-561: Dead Code
• CWE-562: Return of Stack Variable Address
• CWE-590: Free of Memory not on the Heap
• CWE-664: Improper Control of a Resource Through its Lifetime
• CWE-665: Improper Initialization
• CWE-680: Integer Overflow to Buffer Overflow
• CWE-690: Unchecked Return Value to NULL Pointer Dereference
• CWE-704: Incorrect Type Conversion or Cast
• CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
• CWE-786: Access of Memory Location Before Start of Buffer
• CWE-788: Access of Memory Location After End of Buffer
• CWE-789: Uncontrolled Memory Allocation

Full CWE Hierarchy

Info

The following hierarchical CWE list is classified accordingly:

• Basic Triage
• Advanced Triage
• Sanitizers

In addition, the following CWEs are detected by both Advanced Triage and Sanitizers:

• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-131: Incorrect Calculation of Buffer Size
• CWE-457: Use of Uninitialized Variable
• CWE-590: Free of Memory not on the Heap
• CWE-704: Incorrect Type Conversion or Cast

Full CWE Hierarchy

• CWE-1000: Research Concepts
  • CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities
    • CWE-188: Reliance on Data/Memory Layout
    • CWE-436: Interpretation Conflict
      • CWE-115: Misinterpretation of Input
  • CWE-664: Improper Control of a Resource Through its Lifetime
    • CWE-118: Incorrect Access of Indexable Resource ('Range Error')
      • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
        • CWE-125: Out-of-bounds Read
        • CWE-680: Integer Overflow to Buffer Overflow
        • CWE-786: Access of Memory Location Before Start of Buffer
        • CWE-787: Out-of-bounds Write
          • CWE-121: Stack-based Buffer Overflow
          • CWE-122: Heap-based Buffer Overflow
        • CWE-788: Access of Memory Location After End of Buffer
    • CWE-400: Uncontrolled Resource Consumption
    • CWE-404: Improper Resource Shutdown or Release
      • CWE-763: Release of Invalid Pointer or Reference
        • CWE-762: Mismatched Memory Management Routines
          • CWE-590: Free of Memory not on the Heap
      • CWE-772: Missing Release of Resource after Effective Lifetime
        • CWE-401: Failure to Release Memory Before Removing Last Reference ('Memory Leak')
    • CWE-665: Improper Initialization
      • CWE-908: Use of Uninitialized Resource
        • CWE-457: Use of Uninitialized Variable
    • CWE-704: Incorrect Type Conversion or Cast
      • CWE-681: Incorrect Conversion between Numeric Types
        • CWE-197: Numeric Truncation Error
    • CWE-913: Improper Control of Dynamically-Managed Code Resources
  • CWE-682: Incorrect Calculation
    • CWE-131: Incorrect Calculation of Buffer Size
    • CWE-190: Integer Overflow or Wraparound
    • CWE-369: Divide By Zero
    • CWE-469: Use of Pointer Subtraction to Determine Size
  • CWE-707: Improper neutralization
    • CWE-20: Improper Input Validation
      • CWE-1284: Improper Validation of Specified Quantity in Input
        • CWE-789: Uncontrolled Memory Allocation
      • CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input
        • CWE-115: Misinterpretation of Input
        • CWE-129: Improper Validation of Array Index
    • CWE-228: Improper Handling of Syntactically Invalid Structure
      • CWE-233: Improper Handling of Parameters
  • CWE-710: Improper Adherence to Coding Standards
    • CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
      • CWE-562: Return of Stack Variable Address
    • CWE-1164: Irrelevant Code
      • CWE-561: Dead Code
  • CWE-754: Improper Check for Unusual or Exceptional Conditions
    • CWE-703: Improper Check or Handling of Exceptional Conditions
      • CWE-476: NULL Pointer Dereference
        • CWE-690: Unchecked Return Value to NULL Pointer Dereference

Web Console

The Mayhem Web Console supports Chrome, Firefox, and Microsoft Edge browsers.

CLI

The mayhem CLI is the main tool for programmatically interacting with a Mayhem installation. Below is a list of all supported environments where the mayhem command can be run:

CLI Support Matrix
Operating System	Architectures	System Requirements
Linux	x86_64	None (statically linked binary)
macOS	x86_64	macOS >= 10.13
Windows	x86_64	Windows 10+

API

Mayhem releases are backwards compatible for API users of the same major release (e.g. Mayhem 1.x clients of the API should not break when used with a Mayhem 1.x server). The Mayhem API uses semantic versioning.

In the event of a new major release (e.g., Mayhem 2.x), we will advertise in advance any changes that may affect compatibility for API users.