Target Support Matrix¶

Mayhem uses a next-generation mCode fuzzer that maximizes code coverage through intelligent fuzzing that produces unique test cases to catch defects within a binary executable (otherwise known as a Mayhem target).

Here we will detail the technical specifications for targets supported by Mayhem and the system requirements for using Mayhem.

Overview¶

Mayhem analysis supports the following:

Base-executable Linux Targets: Binary executables compiled without special compilation options or modifications (i.e. uninstrumented).
Instrumented Linux Targets: Binary executables compiled with instrumentation using fuzzers such as AFL, libFuzzer, or honggfuzz.
Triage & Diagnosis: The process of identifying defects in targets triggered by test cases input via fuzzing.

The Mayhem platform requires the following:

CLI: For x86_x64 Linux and macOS users that want to interact with Mayhem.
API: An API server for users building new interactions and extensions with Mayhem.

Base-executable Linux Targets¶

Mayhem analyzes unmodified Linux binary targets (machine code) that are runnable within user-space and take inputs from a single file descriptor or TCP/UDP socket.

Base-executable Target Support
Architectures	x86_64, x86, ARM (ARMv4t through ARMv8), MIPS, PowerPC
Reads from	stdin, file, TCP, UDP, Unix domain sockets
Defects	Mayhem detects when a test case triggers a defect arising from: assert violations memory safety violations uncaught unix signals See the Triage & Diagnosis section for a list of CWE (Common Weakness Enumeration) defect types Mayhem finds.
Special Support	Mayhem auto-detects targets written in Golang and Rust to find unhandled panics.

Instrumented Linux Targets¶

Mayhem supports running existing fuzzing targets created with AFL/AFL++, honggfuzz, and libFuzzer. Languages supported by these fuzzers include clang-supported languages, Golang, and Rust.

Info

The minimum supported libFuzzer version required by Mayhem is LLVM 5.0.

Instrumented Target Support
Architectures	x86_64, x86
Fuzzer	Base-executable³	AFL/AFL++⁴	honggfuzz⁵	libFuzzer⁶
dictionary		⁷
max_length
sanitizers

Symbolic Execution¶

Mayhem performs state of the art symbolic execution on x86 Linux targets that read from a file or STDIN.

Symbolic Execution Support
Architectures	x86_64, x86 - noninstrumented
Input source	Support
File
STDIN
Network (UDP/TCP/Unix)

Triage & Diagnosis¶

All test cases discovered by Mayhem go through a triaging phase.

Basic Triage¶

Basic Triage always runs on a target. It ensures reported defects are reproducible and attaches metadata such as a stack trace, disassembly, signal number and crash type to each defect. Mayhem is also able to recognize many common crash types and attach a CWE (Common Weakness Enumeration) number, if applicable.

CWEs detected by Basic Triage:

Click the following button to execute a Mayhem run and confirm the above CWEs are detected:

Advanced Triage¶

Advanced Triage, when enabled, runs additional analysis to find defects that do not raise a UNIX signal, such as memory leaks or using an uninitialized variable.

In order to support Advanced Triage, a target must be linked against glibc. Targets that link against other libc variants (or no libc at all) are not supported. In addition, Advanced Triage requires a target that has no instrumentation.

Advanced Triage Support
Architectures	Support
x86_64, x86
ARM
MIPS
PowerPC

CWEs detected by Advanced Triage (In addition to Basic Triage):

Click the following button to execute a Mayhem run and confirm the above CWEs are detected:

Important

Make sure the advanced_triage option for the Mayhemfile is set to true.

Sanitizers¶

Sanitizers (such as ASAN) can be added to a program at compile time. They add checks that allow Mayhem to detect many more kinds of defects including defects that may not result in an immediate crash.

Mayhem works with targets compiled with the ASAN, UBSAN, LSAN, and MSAN sanitizer flags.

Note

MSAN sanitizer targets may allocate memory at ranges not permitted by our memory sandbox. If you are affected by such an issue and are unable to move the memory allocation, please reach out to support@forallsecure.com.

CWEs detected by Sanitizers (In addition to Basic Triage):

Full CWE Hierarchy¶

Info

The following hierarchical CWE list is classified accordingly:

In addition, the following CWEs are detected by both Advanced Triage and Sanitizers:

Full CWE Hierarchy

CWE-1000: Research Concepts
- CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities
  - CWE-188: Reliance on Data/Memory Layout
  - CWE-436: Interpretation Conflict
    - CWE-115: Misinterpretation of Input
- CWE-664: Improper Control of a Resource Through its Lifetime
  - CWE-118: Incorrect Access of Indexable Resource ('Range Error')
    - CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  - CWE-400: Uncontrolled Resource Consumption
  - CWE-404: Improper Resource Shutdown or Release
    - CWE-763: Release of Invalid Pointer or Reference
      - CWE-762: Mismatched Memory Management Routines
        
        CWE-590: Free of Memory not on the Heap
    - CWE-772: Missing Release of Resource after Effective Lifetime
      - CWE-401: Failure to Release Memory Before Removing Last Reference ('Memory Leak')
  - CWE-665: Improper Initialization
    - CWE-908: Use of Uninitialized Resource
      - CWE-457: Use of Uninitialized Variable
  - CWE-704: Incorrect Type Conversion or Cast
    - CWE-681: Incorrect Conversion between Numeric Types
      - CWE-197: Numeric Truncation Error
  - CWE-913: Improper Control of Dynamically-Managed Code Resources
- CWE-682: Incorrect Calculation
- CWE-707: Improper neutralization
  - CWE-20: Improper Input Validation
    - CWE-1284: Improper Validation of Specified Quantity in Input
      - CWE-789: Uncontrolled Memory Allocation
    - CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input
      - CWE-115: Misinterpretation of Input
      - CWE-129: Improper Validation of Array Index
  - CWE-228: Improper Handling of Syntactically Invalid Structure
    - CWE-233: Improper Handling of Parameters
- CWE-710: Improper Adherence to Coding Standards
  - CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
    - CWE-562: Return of Stack Variable Address
  - CWE-1164: Irrelevant Code
    - CWE-561: Dead Code
- CWE-754: Improper Check for Unusual or Exceptional Conditions
  - CWE-703: Improper Check or Handling of Exceptional Conditions
    - CWE-476: NULL Pointer Dereference
      - CWE-690: Unchecked Return Value to NULL Pointer Dereference

UI¶

The Mayhem UI supports Chrome, Firefox, and Microsoft Edge browsers.

CLI¶

The mayhem CLI is the main tool for programmatically interacting with a Mayhem installation. Below is a list of all supported environments where the mayhem command can be run:

CLI Support Matrix
Operating System	Architectures	System Requirements
Linux	x86_64	None (statically linked binary)
macOS (beta)	x86_64	macOS >= 10.13

API¶

Mayhem releases are backwards compatible for API users of the same major release (e.g. Mayhem 1.x clients of the API should not break when used with a Mayhem 1.x server). The Mayhem API uses semantic versioning.

In the event of a new major release (e.g., Mayhem 2.x), we will advertise in advance any changes that may affect compatibility for API users.