source: zzuf/trunk/doc/zzuf.1.in @ 4264

Last change on this file since 4264 was 4264, checked in by sam, 4 years ago

Rename -t/--max-time to -U/--max-usertime, and add -t/--max-time to
roughly mean "maximum zzuf run time". Fixes bug #45.

File size: 18.6 KB
Line 
1.TH zzuf 1 "2010-01-06" "zzuf @PACKAGE_VERSION@"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-AcdimnqSvx\fR]
6[\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR]
7[\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
8[\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-j\fR \fIjobs\fR]
9[\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-t\fR \fIseconds\fR]
10[\fB\-T\fR \fIseconds\fR] [\fB\-U\fR \fIseconds\fR] [\fB\-M\fR \fImebibytes\fR]
11[\fB\-b\fR \fIranges\fR] [\fB\-p\fR \fIports\fR] [\fB\-P\fR \fIprotect\fR]
12[\fB\-R\fR \fIrefuse\fR] [\fB\-l\fR \fIlist\fR] [\fB\-I\fR \fIinclude\fR]
13[\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fIARGS\fR]...]
14.br
15\fBzzuf \-h\fR | \fB\-\-help\fR
16.br
17\fBzzuf \-V\fR | \fB\-\-version\fR
18.SH DESCRIPTION
19.PP
20\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
21file and network operations and changing random bits in the program's input.
22\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
23.SH USAGE
24.PP
25\fBzzuf\fR will run an application specified on its command line, one or
26several times, with optional arguments, and will report the application's
27relevant behaviour on the standard error channel, eg:
28.PP
29\fB    zzuf cat /dev/zero\fR
30.PP
31Flags found after the application name are considered arguments for the
32application, not for \fBzzuf\fR. For instance, \fB\-v\fR below is an
33argument for \fBcat\fR:
34.PP
35\fB    zzuf \-B 1000 cat \-v /dev/zero\fR
36.PP
37When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
38if the \fBcat\fR utility had been called:
39.PP
40\fB    zzuf < /dev/zero\fR
41.SH OPTIONS
42.TP
43\fB\-A\fR, \fB\-\-autoinc\fR
44Increment random seed each time a new file is opened. This is only required
45if one instance of the application is expected to open the same file several
46times and you want to test a different seed each time.
47.TP
48\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
49Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
50
51Range values start at zero and are inclusive. Use dashes between range values
52and commas between ranges. If the right-hand part of a range is ommited, it
53means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
54all bytes after offset 31, use \(oq\fB\-b0,3\-5,31\-\fR\(cq.
55
56This option is useful to preserve file headers or corrupt only a specific
57portion of a file.
58.TP
59\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
60Automatically stop after \fIn\fR bytes have been output.
61
62This either terminates child processes that output more than \fIn\fR bytes
63on the standard output and standard error channels, or stop reading from
64standard input if no program is being fuzzed.
65
66This is useful to detect infinite loops. See also the \fB\-U\fR and \fB\-T\fR
67flags.
68.TP
69\fB\-c\fR, \fB\-\-cmdline\fR
70Only fuzz files whose name is specified in the target application's command
71line. This is mostly a shortcut to avoid specifying twice the argument:
72
73\fB    zzuf \-c cat file.txt\fR
74
75has the same effect as
76
77\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
78
79See the \fB\-I\fR flag for more information on restricting fuzzing to
80specific files.
81.TP
82\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
83Stop forking when at least \fIn\fR children have crashed. The default value
84is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A value
85of 0 tells \fBzzuf\fR to never stop.
86
87Note that \fBzzuf\fR will not kill any remaining children once \fIn\fR is
88reached. To ensure that processes do not last forever, see the \fB\-U\fR
89flag.
90
91A process is considered to have crashed if any signal (such as, but not limited
92to, \fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
93also include processes that exit with a non-zero status.
94
95This option is only relevant if the \fB\-s\fR flag is used with a range
96argument. See also the \fB\-t\fR flag.
97.TP
98\fB\-d\fR, \fB\-\-debug\fR
99Activate the display of debug messages. Can be specified multiple times for
100increased verbosity.
101.TP
102\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
103Do not launch more than one process every \fIdelay\fR seconds. This option
104should be used together with \fB\-j\fR to avoid fork bombs.
105.TP
106\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
107Do not fuzz files whose name matches the \fIregex\fR regular expression. This
108option supersedes anything that is specified by the \fB\-I\fR flag. Use this
109for instance if you are unsure of what files your application is going to read
110and do not want it to fuzz files in the \fB/etc\fR directory.
111
112Multiple \fB\-E\fR flags can be specified, in which case files matching any one
113of the regular expressions will be ignored.
114.TP
115\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
116Select how the input is fuzzed. Valid values for \fImode\fR are:
117.RS
118.TP
119\fBxor\fR
120randomly set and unset bits
121.TP
122\fBset\fR
123only set bits
124.TP
125\fBunset\fR
126only unset bits
127.RE
128.IP
129The default value for \fImode\fR is \fBxor\fR.
130.TP
131\fB\-j\fR, \fB\-\-jobs\fR=\fIjobs\fR
132Specify the number of simultaneous children that can be run. By default,
133\fBzzuf\fR only launches one process at a time.
134
135This option is only relevant if the \fB\-s\fR flag is used with a range
136argument. See also the \fB\-D\fR flag.
137.TP
138\fB\-i\fR, \fB\-\-stdin\fR
139Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
140.TP
141\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
142Only fuzz files whose name matches the \fIregex\fR regular expression. Use
143this for instance if your application reads configuration files at startup
144and you only want specific files to be fuzzed.
145
146Multiple \fB\-I\fR flags can be specified, in which case files matching any one
147of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
148.TP
149\fB\-l\fR, \fB\-\-list\fR=\fIlist\fR
150Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor
151will really be fuzzed only if N is in \fIlist\fR.
152
153Values start at 1 and ranges are inclusive. Use dashes between values and
154commas between ranges. If the right-hand part of a range is ommited, it means
155all subsequent file descriptors. For instance, to restrict fuzzing to the
156first opened descriptor and all descriptors starting from the 10th, use
157\(oq\fB\-l1,10\-\fR\(cq.
158
159Note that this option only affects file descriptors that would otherwise be
160fuzzed. Even if 10 write-only descriptors are opened at the beginning of the
161program, only the next descriptor with a read flag will be the first one
162considered by the \fB\-l\fR flag.
163.TP
164\fB\-m\fR, \fB\-\-md5\fR
165Instead of displaying the program's \fIstandard output\fR, just print its MD5
166digest to \fBzzuf\fR's standard output. The standard error channel is left
167untouched.
168.TP
169\fB\-M\fR, \fB\-\-max\-memory\fR=\fImebibytes\fR
170Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes),
171that children are allowed to allocate. This is useful to detect infinite loops
172that eat up a lot of memory.
173
174The value should be set reasonably high so as not to interfer with normal
175program operation. By default, it is set to 1024 MiB in order to avoid
176accidental excessive swapping. To disable the limitation, set the maximum
177memory usage to -1 instead.
178
179\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
180relies on the operating system's ability to enforce such limitations.
181.TP
182\fB\-n\fR, \fB\-\-network\fR
183Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
184
185Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
186families are not yet supported.
187.TP
188\fB\-p\fR, \fB\-\-ports\fR=\fIranges\fR
189Only fuzz network ports that are in \fIranges\fR. By default \fBzzuf\fR
190fuzzes all ports. The port considered is the listening port if the socket
191is listening and the destination port if the socket is connecting, because
192most of the time the source port cannot be predicted.
193
194Range values start at zero and are inclusive. Use dashes between range values
195and commas between ranges. If the right-hand part of a range is ommited, it
196means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS
197ports and to all unprivileged ports, use \(oq\fB\-p80,443,1024\-\fR\(cq.
198
199This option requires network fuzzing to be activated using \fB\-n\fR.
200.TP
201\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
202Protect a list of characters so that if they appear in input data that would
203normally be fuzzed, they are left unmodified instead.
204
205Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
206The sequences interpreted by \fBzzuf\fR are:
207.RS
208.TP
209\fB\\n\fR
210new line
211.TP
212\fB\\r\fR
213return
214.TP
215\fB\\t\fR
216tabulation
217.TP
218\fB\\\fR\fINNN\fR
219the byte whose octal value is \fINNN\fR
220.TP
221\fB\\x\fR\fINN\fR
222the byte whose hexadecimal value is \fINN\fR
223.TP
224\fB\\\\\fR
225backslash (\(oq\\\(cq)
226.RE
227.IP
228You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
229bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
230
231The statistical outcome of this option should not be overlooked: if characters
232are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
233on the data being fuzzed. For instance, asking to fuzz 1% of input bits
234(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
235result in an actual average fuzzing ratio of 0.9% with truly random data,
2360.3% with random ASCII data and 0.2% with standard English text.
237
238See also the \fB\-R\fR flag.
239.TP
240\fB\-q\fR, \fB\-\-quiet\fR
241Hide the output of the fuzzed application. This is useful if the application
242is very verbose but only its exit code or signaled status is really useful to
243you.
244.TP
245\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
246.PD 0
247.TP
248\fB\-r\fR, \fB\-\-ratio\fR=\fImin:max\fR
249.PD
250Specify the proportion of bits that will be randomly fuzzed. A value of 0
251will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
252bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
253the input files undiscernible from random data. The default fuzzing ratio
254is 0.004 (fuzz 0.4% of the files' bits).
255
256A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
257values from the interval. The choice is deterministic and only depends on
258the interval bounds and the current seed.
259.TP
260\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
261Refuse a list of characters by not fuzzing bytes that would otherwise be
262changed to a character that is in \fIlist\fR. This does not prevent characters
263from appearing in the output if the original byte was already in \fIlist\fR.
264
265See the \fB\-P\fR option for a description of \fIlist\fR.
266.TP
267\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
268.PD 0
269.TP
270\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
271.PD
272Specify the random seed to use for fuzzing, or a range of random seeds.
273Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
274the same way, even with a different target application. The purpose of this is
275to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
276causes the target application to crash.
277
278If a range is specified, \fBzzuf\fR will run the application several times,
279each time with a different seed, and report the behaviour of each run. If the
280\(oq:\(cq character is used but the second part of the range is omitted,
281\fBzzuf\fR will increment the seed value indefinitely.
282.TP
283\fB\-S\fR, \fB\-\-signal\fR
284Prevent children from installing signal handlers for signals that usually
285cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
286\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
287platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
288\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
289simply crash. If you do not want core dumps, you should set appropriate limits
290with the \fBlimit coredumpsize\fR command. See your shell's documentation on
291how to set such limits.
292.TP
293\fB\-t\fR, \fB\-\-max\-time\fR=\fIn\fR
294Stop forking after \fIn\fR seconds. By default, \fBzzuf\fR runs until the
295end of the seed range is reached.
296
297Note that \fBzzuf\fR will not kill any remaining children once \fIn\fR is
298reached. To ensure that processes do not last forever, see the \fB\-U\fR
299flag.
300
301This option is only relevant if the \fB\-s\fR flag is used with a range
302argument. See also the \fB\-C\fR flag.
303.TP
304\fB\-T\fR, \fB\-\-max\-cputime\fR=\fIn\fR
305Automatically terminate child processes that use more than \fIn\fR seconds
306of CPU time.
307
308\fBzzuf\fR uses the \fBsetrlimit\fR() call to set CPU usage limitations and
309relies on the operating system's ability to enforce such limitations. If the
310system sends \fBSIGXCPU\fR signals and the application catches that signal,
311it will receive a \fBSIGKILL\fR signal after 5 seconds.
312
313This is more accurate than \fB\-U\fR because the behaviour should be
314independent from the system load, but it does not detect processes stuck into
315infinite \fBselect\fR() calls because they use very little CPU time. See also
316the \fB\-B\fR and \fB\-U\fR flags.
317.TP
318\fB\-U\fR, \fB\-\-max\-usertime\fR=\fIn\fR
319Automatically terminate child processes that run for more than \fIn\fR
320seconds. This is useful to detect infinite loops or processes stuck in other
321situations. See also the \fB\-B\fR and \fB\-T\fR flags.
322.TP
323\fB\-v\fR, \fB\-\-verbose\fR
324Print information during the run, such as the current seed, what processes
325get run, their exit status, etc.
326.TP
327\fB\-x\fR, \fB\-\-check\-exit\fR
328Report processes that exit with a non-zero status. By default only processes
329that crash due to a signal are reported.
330.TP
331\fB\-h\fR, \fB\-\-help\fR
332Display a short help message and exit.
333.TP
334\fB\-V\fR, \fB\-\-version\fR
335Output version information and exit.
336.SH DIAGNOSTICS
337.PP
338Exit status is zero if no child process crashed. If one or several children
339crashed, \fBzzuf\fR exits with status 1.
340.SH EXAMPLES
341.PP
342Fuzz the input of the \fBcat\fR program using default settings:
343.PP
344\fB    zzuf cat /etc/motd\fR
345.PP
346Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
347.PP
348\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
349.PP
350Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
351and prevent non-ASCII characters from appearing in the output:
352.PP
353\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
354.PP
355Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
356original input and excluding \fB.xml\fR files from fuzzing (because
357\fBconvert\fR will also open its own XML configuration files and we do not
358want \fBzzuf\fR to fuzz them):
359.PP
360\fB    zzuf \-E \(aq\\.xml$\(aq convert foo.jpeg \-format tga /dev/null\fR
361.PP
362Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
363and restricting fuzzing to filenames that appear on the command line
364(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
365can be read by VLC to reproduce the same behaviour without using
366\fBzzuf\fR:
367.PP
368\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
369.br
370\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
371.br
372\fB    vlc fuzzy\-movie.avi\fR
373.PP
374Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
375with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
376by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
377standard output messages (\fB\-q\fR), launching up to five simultaneous child
378processes (\fB\-j5\fR) but waiting at least half a second between launches
379(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
380read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
381(\fB\-S\fR):
382.PP
383\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-j5 \-D0.5 \-T60 \-S \\\fR
384.br
385\fB      mplayer \-benchmark \-vo null \-fps 1000 movie.avi\fR
386.PP
387A more advanced VLC fuzzing example, stopping only at the first crash:
388.PP
389\fB    zzuf \-j4 \-vqc \-r0.000001:0.01 \-s0: vlc \-v \-I dummy movie.avi \\\fR
390.br
391\fB       \-\-sout \(aq#transcode{acodec=s16l,vcodec=I420}:dummy\(aq vlc:quit
392.PP
393Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
394and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
395.PP
396\fB    seq \-f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
397.br
398      (or: \fBjot \-w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
399.br
400\fB    zzuf \-A \-I \(aqhello[.]jpg\(aq \-r0.001 firefox hello.html\fR
401.PP
402Run a simple HTTP redirector on the local host using \fBsocat\fR and
403corrupt each network connection (\fB\-n\fR) in a different way (\fB\-A\fR)
404after one megabyte of data was received on it (\fB\-b1000000\-\fR):
405.PP
406\fB     zzuf \-n \-A \-b1000000\- \\\fR
407\fB       socat TCP4\-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80\fR
408.PP
409Browse the intarweb (\fB\-n\fR) using Firefox\(tm without fuzzing local files
410(\fB\-E.\fR) or non-HTTP connections (\fB\-p80,8010,8080\fR), preserving
411the beginning of the data sent with each HTTP response (\fB\-b4000\-\fR)
412and using another seed on each connection (\fB\-A\fR):
413.PP
414\fB    zzuf \-r 0.0001 \-n \-E. \-p80,8010,8080 \-b4000\- \-A firefox\fR
415.SH RESTRICTIONS
416.PP
417Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
418\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
419processes, it will fail in the presence of any mechanism that disables
420preloading. For instance setuid root binaries will not be fuzzed when run
421as an unprivileged user.
422.PP
423For the same reasons, \fBzzuf\fR will also not work with statically linked
424binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
425where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
426.PP
427Though best efforts are made, identical behaviour for different versions of
428\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
429different operating systems and with different target programs is only
430guaranteed when the same version of \fBzzuf\fR is being used.
431.SH BUGS
432.PP
433\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
434.PP
435It is not yet possible to insert or drop bytes from the input, to fuzz
436according to the file format, to swap bytes, etc. More advanced fuzzing
437methods are planned.
438.PP
439As of now, \fBzzuf\fR does not really support multithreaded applications. The
440behaviour with multithreaded applications where more than one thread does file
441descriptor operations is undefined.
442.SH HISTORY
443.PP
444\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
445multimedia stream corrupter used to find bugs in the VLC media player.
446.SH SEE ALSO
447.PP
448\fBlibzzuf(3)\fR, \fBzzcat(1)\fR
449.SH AUTHOR
450.PP
451Copyright \(co 2002\-2010 Sam Hocevar <sam@hocevar.net>.
452.PP
453\fBzzuf\fR and this manual page are free software. They come without any
454warranty, to the extent permitted by applicable law. You can redistribute
455them and/or modify them under the terms of the Do What The Fuck You Want
456To Public License, Version 2, as published by Sam Hocevar. See
457\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
458.PP
459\fBzzuf\fR's webpage can be found at \fBhttp://caca.zoy.org/wiki/zzuf\fR.
460An overview of the architecture and inner works is at
461\fBhttp://caca.zoy.org/wiki/zzuf/internals\fR.
Note: See TracBrowser for help on using the repository browser.