source: zzuf/trunk/doc/zzuf.1 @ 1526

Last change on this file since 1526 was 1526, checked in by Sam Hocevar, 14 years ago
  • Added the -i flag (for stdin fuzzing).
File size: 5.1 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5.B zzuf
6[
7.B \-vqdhi
8] [
9.B \-r
10.I ratio
11] [
12.B \-s
13.I seed
14|
15.B \-s
16.I start:stop
17]
18.PD 0
19.IP
20.PD
21[
22.B \-F
23.I children
24] [
25.B \-B
26.I bytes
27] [
28.B \-T
29.I seconds
30]
31.PD 0
32.IP
33.PD
34[
35.B \-I
36.I include
37] [
38.B \-E
39.I exclude
40]
41.I COMMAND [ARGS]...
42.RI
43.SH DESCRIPTION
44.B Zzuf
45is a transparent application input fuzzer. It works by intercepting
46file operations and changing random bits in the program's input.
47.B Zzuf's
48behaviour is deterministic, making it easy to reproduce bugs.
49.RI
50.SH USAGE
51.B Zzuf
52will run an application specified on its command line, one or several times,
53with optional arguments, and will report the application's behaviour on
54the standard output.
55
56If you want to specify arguments for your application, put a
57.B \-\-
58marker before them on the command line, or
59.B zzuf
60will try to interpret them as arguments for itself.
61.RI
62.SH OPTIONS
63.TP
64.B \-r, \-\-ratio <ratio>
65Specify the amount of bits that will be randomly fuzzed. A value of 0
66will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
67bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
68the input files undiscernible from random data. The default fuzzing ratio
69is 0.004 (fuzz 0.4% of the files' bits).
70.TP
71.B \-s, \-\-seed <seed>
72.PD 0
73.TP
74.B \-s, \-\-seed <start:stop>
75.PD
76Specify the random seed to use for fuzzing, or an interval of random seeds.
77Running
78.B zzuf
79twice with the same random seed will fuzz the files exactly the same way,
80even with a different target application. The purpose of this is to use
81simple utilities such as
82.B cat
83or
84.B cp
85to generate a file that causes the target application to crash.
86
87If an interval is specified,
88.B zzuf
89will run the application several times, each time with a different seed, and
90report the behaviour of each run.
91.TP
92.B \-F, \-\-fork <children>
93Specify the number of simultaneous children that can be run. This option is
94only useful if the
95.B \-s
96flag is used with an interval argument.
97.TP
98.B \-B, \-\-max\-bytes <n>
99Automatically terminate child processes that output more than
100.B <n>
101bytes on the standard output and standard error channels. This is useful to
102detect infinite loops.
103.TP
104.B \-T, \-\-max\-time <n>
105Automatically terminate child processes that run for more than
106.B <n>
107seconds. This is useful to detect infinite loops or processes stuck in other
108situations.
109.TP
110.B \-q, \-\-quiet
111Hide the output of the fuzzed application. This is useful if the application
112is very verbose but only its exit code is really useful to you.
113.TP
114.B \-i, \-\-stdin
115Fuzz the application's standard input. By default
116.B zzuf
117only fuzzes files.
118.TP
119.B \-I, \-\-include <regex>
120Only fuzz files whose name matches the
121.B <regex>
122regular expression. Use this for instance if your application reads
123configuration files in many places and you do not want them to be fuzzed.
124.TP
125.B \-E, \-\-exclude <regex>
126Do not fuzz files whose name matches the
127.B <regex>
128regular expression. This option supersedes anything that is specified by the
129.B \-\-exclude
130flag. Use this for instance if you do not know for sure what files your
131application is going to read, but do not want it to fuzz files in the
132.B /etc
133directory.
134.TP
135.B \-d, \-\-debug
136Activate the display of debug messages.
137.TP
138.B \-h, \-\-help
139Display a short help message and exit.
140.TP
141.B \-v, \-\-version
142Output version information and exit.
143.RI
144.SH EXAMPLES
145Fuzz the input of the
146.B cat
147program using default settings:
148.nf
149
150.B % zzuf cat /etc/motd
151
152.fi
153Fuzz 1% of the input bits of the
154.B cat
155program using seed 94324:
156.nf
157
158.B % zzuf -s 94324 -r 0.01 cat /etc/motd
159
160.fi
161Fuzz the input of the
162.B convert
163program, using file
164.B foo.jpeg
165as the original input and restricting fuzzing to filenames matching the
166regular expression
167.B "foo[.]jpeg"
168(because
169.B convert
170will also open its own configuration files and we do not want
171.B zzuf
172to fuzz them):
173.nf
174
175.B % zzuf -I "foo[.]jpeg" convert -- foo.jpeg -format tga /dev/null
176
177.fi
178Fuzz the input of
179.BR vlc ,
180using file
181.B movie.avi
182as the original input, and generate
183.B fuzzy-movie.avi
184which is a file that can be fed to
185.B vlc
186to reproduce the same behaviour without using
187.BR zzuf :
188.fn
189
190.B % zzuf -s 87423 -r 0.01 vlc movie.avi
191
192.B % zzuf -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi
193
194.B % vlc fuzzy-movie.avi
195
196.fi
197Fuzz
198.BR mplayer 's
199input with seeds 0 to 9999, launching up to 3 simultaneous child processes
200and killing
201.BR mplayer
202if it takes more than one minute to read the file:
203.fn
204
205.B % zzuf -q -s 0:10000 -F 3 -T 60 -r 0.02 -I movie.avi mplayer movie.avi -- -benchmark -vo null -fps 1000
206
207.fi
208.RI
209.SH BUGS
210Only the most common file operations are implemented as of now:
211.BR open (),
212.BR read (),
213.BR fopen (),
214.BR fseek (),
215etc. One important unimplemented function is
216.BR fscanf ().
217
218Network fuzzing is not implemented. It is not yet possible to insert or
219drop bytes from the input, to fuzz according to the file format, or to do
220all these complicated operations. They are planned, though.
221.RI
222.SH AUTHOR
223.B Zzuf
224and this manual page were written by Sam Hocevar <sam@zoy.org>. There is a
225webpage available at http://sam.zoy.org/zzuf/
Note: See TracBrowser for help on using the repository browser.