googleprojectzero/BrokenType googleprojectzero/BrokenType

  • Stars
    star
    430
  • Rank 101,083 (Top 2 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated about 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
googleprojectzero/BrokenType
github

googleprojectzero

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TrueType and OpenType font fuzzing toolset

BrokenType

BrokenType is a set of tools designed to test the robustness and security of font rasterization software, especially codebases prone to memory corruption issues (written in C/C++ and similar languages). It consists of the following components:

The description and usage instructions of the utilities can be found in their corresponding READMEs.

The programs and scripts were successfully used in 2015-2019 to discover and report 20 vulnerabilities in the font rasterization code present in the Windows kernel (win32k.sys and atmfd.dll drivers), 19 security flaws in the user-mode Microsoft Uniscribe library, as well as 9 bugs in the FontSub.dll library and several issues in DirectWrite. The fuzzing efforts were discussed in the following Google Project Zero blog posts:

and the "Reverse engineering and exploiting font rasterizers" talk given in September 2015 at the 44CON conference in London. The two most notable issues found by the tool were CVE-2015-2426 and CVE-2015-2455 - an OTF bug collision with an exploit found in the Hacking Team leak, and a TTF bug collision with KeenTeam's exploit for pwn2own 2015.

Disclaimer

This is not an official Google product.

More Repositories

1

winafl

A fork of AFL for fuzzing Windows binaries
C
2,311
star
2

sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
C#
2,047
star
3

fuzzilli

A JavaScript Engine Fuzzer
Swift
1,859
star
4

weggli

weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
Rust
1,857
star
5

domato

DOM fuzzer
Python
1,672
star
6

TinyInst

A lightweight dynamic instrumentation library
C++
1,158
star
7

Jackalope

Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android
C++
1,068
star
8

halfempty

A fast, parallel test case minimization tool.
C
941
star
9

0days-in-the-wild

Repository for information about 0-days exploited in-the-wild.
HTML
753
star
10

symboliclink-testing-tools

C++
747
star
11

p0tools

Project Zero Docs and Tools
C++
698
star
12

ktrw

An iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
C
660
star
13

functionsimsearch

Some C++ example code to demonstrate how to perform code similarity searches using SimHashing.
C++
559
star
14

iOS-messaging-tools

Python
368
star
15

SockFuzzer

C
367
star
16

SkCodecFuzzer

Fuzzing harness for testing proprietary image codecs supported by Skia on Android
C++
331
star
17

bochspwn

A Bochs-based instrumentation project designed to log kernel memory references, to identify "double fetches" and other OS vulnerabilities
C++
319
star
18

bochspwn-reloaded

A Bochs-based instrumentation performing kernel memory taint tracking to detect disclosure of uninitialized memory to ring 3
C++
284
star
19

Street-Party

Street Party is a suite of tools that allows the RTP streams of video conferencing implementations to be viewed and modified.
C++
242
star
20

DrSancov

DynamoRIO plugin to get ASAN and SanitizerCoverage compatible output for closed-source executables
C++
203
star
21

CompareCoverage

Clang instrumentation module for tracing variable and buffer comparisons in C/C++ and saving the coverage data to .sancov files
C++
200
star
22

Hyntrospect

PowerShell
179
star
23

reil

C++
59
star
24

.allstar

1
star
25

.github

1
star