Skip to content

IOActive/XDiFF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

What is XDiFF?

XDiFF is an Extended Differential Fuzzing Framework built for finding vulnerabilities in software. It collects as much data as possible from different executions an then tries to infer different potential vulnerabilities based on the different outputs obtained. The vulnerabilities can either be found in isolated pieces of software or by comparing:

  • Different inputs
  • Different versions
  • Different implementations
  • Different operating systems' implementations

The fuzzer uses Python and runs on multiple OSs (Linux, Windows, OS X, and Freebsd). Its main goal is to detect issues based on diffential fuzzing aided with the extended capabilities to increase coverage. Still, it will found common vulnerabilities based on hangs and crashes, allowing to attach a memory debugger to the fuzzing sessions.

Quick guide

Please follow the following steps:

  1. Install XDiFF
  2. Define the input
  3. Define the software
  4. Run the fuzzer
  5. Analyze the output
  6. ...
  7. Profit!

Disclaimer

The tool and the fuzzing process can be susceptible to code execution. Use it at your own risk always inside a VM.

Authors

  • Fernando Arnaboldi - Initial work
  • cclauss

For contributions, please propose a Changelog entry in the pull-request comments.

Acknowledgments

Thanks Lucas Apa, Tao Sauvage, Scott Headington, Carlos Hollman, Cesar Cerrudo, Federico Muttis, Topo for their feedback and Arlekin for the logo.

License

This project is licensed under the GNU general public license version 3.

Logo

XDiFF Logo