source: zzuf/trunk/doc/zzuf.1 @ 1536

Last change on this file since 1536 was 1536, checked in by Sam Hocevar, 14 years ago
  • Fix typo in manpage.
File size: 6.6 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5.B zzuf
6[
7.B \-cdhiqSv
8] [
9.B \-r
10.I ratio
11] [
12.B \-s
13.I seed
14|
15.B \-s
16.I start:stop
17]
18.PD 0
19.IP
20.PD
21[
22.B \-F
23.I children
24] [
25.B \-B
26.I bytes
27] [
28.B \-T
29.I seconds
30]
31.PD 0
32.IP
33.PD
34[
35.B \-I
36.I include
37] [
38.B \-E
39.I exclude
40]
41.I COMMAND [ARGS]...
42.RI
43.SH DESCRIPTION
44.B Zzuf
45is a transparent application input fuzzer. It works by intercepting
46file operations and changing random bits in the program's input.
47.B Zzuf's
48behaviour is deterministic, making it easy to reproduce bugs.
49.RI
50.SH USAGE
51.B Zzuf
52will run an application specified on its command line, one or several times,
53with optional arguments, and will report the application's behaviour on
54the standard output.
55
56If you want to specify arguments for your application, put a
57.B \-\-
58marker before them on the command line, or
59.B zzuf
60will try to interpret them as arguments for itself.
61.RI
62.SH OPTIONS
63.TP
64.B \-B, \-\-max\-bytes <n>
65Automatically terminate child processes that output more than
66.B <n>
67bytes on the standard output and standard error channels. This is useful to
68detect infinite loops.
69.TP
70.B \-c, \-\-cmdline
71Only fuzz files whose name is specified in the target application's command
72line. This is mostly a shortcut to avoid specifiying twice the argument:
73.B zzuf \-c cat file.txt
74has the same effect as
75.B zzuf \-I "^file\\.txt$" cat
76.BR file.txt .
77See the
78.B \-I
79flag for more information.
80.TP
81.B \-d, \-\-debug
82Activate the display of debug messages.
83.TP
84.B \-E, \-\-exclude <regex>
85Do not fuzz files whose name matches the
86.B <regex>
87regular expression. This option supersedes anything that is specified by the
88.B \-\-include
89flag. Use this for instance if you are unsure of what files your
90application is going to read and do not want it to fuzz files in the
91.B /etc
92directory.
93
94Multiple
95.B \-E
96flags can be specified, in which case files matching any one of the regular
97expressions will be ignored.
98.TP
99.B \-F, \-\-fork <children>
100Specify the number of simultaneous children that can be run. This option is
101only useful if the
102.B \-s
103flag is used with an interval argument.
104.TP
105.B \-h, \-\-help
106Display a short help message and exit.
107.TP
108.B \-i, \-\-stdin
109Fuzz the application's standard input. By default
110.B zzuf
111only fuzzes files.
112.TP
113.B \-I, \-\-include <regex>
114Only fuzz files whose name matches the
115.B <regex>
116regular expression. Use this for instance if your application reads
117configuration files at startup and you only want specific files to be fuzzed.
118
119Multiple
120.B \-I
121flags can be specified, in which case files matching any one of the regular
122expressions will be fuzzed. See also the
123.B \-c
124flag.
125.TP
126.B \-q, \-\-quiet
127Hide the output of the fuzzed application. This is useful if the application
128is very verbose but only its exit code or signaled status is really useful to
129you.
130.TP
131.B \-r, \-\-ratio <ratio>
132Specify the amount of bits that will be randomly fuzzed. A value of 0
133will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
134bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
135the input files undiscernible from random data. The default fuzzing ratio
136is 0.004 (fuzz 0.4% of the files' bits).
137.TP
138.B \-s, \-\-seed <seed>
139.PD 0
140.TP
141.B \-s, \-\-seed <start:stop>
142.PD
143Specify the random seed to use for fuzzing, or an interval of random seeds.
144Running
145.B zzuf
146twice with the same random seed will fuzz the files exactly the same way,
147even with a different target application. The purpose of this is to use
148simple utilities such as
149.B cat
150or
151.B cp
152to generate a file that causes the target application to crash.
153
154If an interval is specified,
155.B zzuf
156will run the application several times, each time with a different seed, and
157report the behaviour of each run.
158.TP
159.B \-S, \-\-signal
160Prevent children from installing signal handlers for signals that usually
161cause coredumps. These signals are
162.BR SIGABRT ,
163.BR SIGFPE ,
164.BR SIGILL ,
165.BR SIGQUIT ,
166.BR SIGSEGV ,
167.B SIGTRAP
168and, if available on the running platform,
169.BR SIGSYS ,
170.BR SIGEMT ,
171.BR SIGBUS ,
172.B SIGXCPU
173and
174.BR SIGXFSZ .
175Instead of calling the signal handler, the application will simply crash. If
176you do not want core dumps, you should set appropriate limits with the
177.B limit coredumpsize
178command. See your shell's documentation on how to set such limits.
179.TP
180.B \-T, \-\-max\-time <n>
181Automatically terminate child processes that run for more than
182.B <n>
183seconds. This is useful to detect infinite loops or processes stuck in other
184situations.
185.TP
186.B \-v, \-\-version
187Output version information and exit.
188.RI
189.SH EXAMPLES
190Fuzz the input of the
191.B cat
192program using default settings:
193.nf
194
195.B % zzuf cat /etc/motd
196
197.fi
198Fuzz 1% of the input bits of the
199.B cat
200program using seed 94324:
201.nf
202
203.B % zzuf -s 94324 -r 0.01 cat /etc/motd
204
205.fi
206Fuzz the input of the
207.B convert
208program, using file
209.B foo.jpeg
210as the original input and excluding
211.B .xml
212files from fuzzing (because
213.B convert
214will also open its own XML configuration files and we do not want
215.B zzuf
216to fuzz them):
217.nf
218
219.B % zzuf -E "\\.xml$" convert -- foo.jpeg -format tga /dev/null
220
221.fi
222Fuzz the input of
223.BR vlc ,
224using file
225.B movie.avi
226as the original input and restricting fuzzing to filenames that appear on
227the command line, then generate
228.B fuzzy-movie.avi
229which is a file that can be fed to
230.B vlc
231to reproduce the same behaviour without using
232.BR zzuf :
233.fn
234
235.B % zzuf -c -s 87423 -r 0.01 vlc movie.avi
236
237.B % zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi
238
239.B % vlc fuzzy-movie.avi
240
241.fi
242Fuzz 2% of
243.BR mplayer 's
244input bits
245.RB  ( \-r
246.BR 0.02 )
247with seeds 0 to 9999
248.RB ( \-s
249.BR 0:10000 ),
250disabling its standard output messages
251.RB ( \-q ),
252launching up to three simultaneous child processes
253.RB ( \-F
254.BR 3 ),
255killing
256.B mplayer
257if it takes more than one minute to read the file
258.RB ( \-T
259.BR 60 )
260and disabling its
261.B SIGSEGV
262signal handler
263.RB ( \-S ):
264.fn
265
266.B % zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 mplayer movie.avi -- -benchmark -vo null -fps 1000
267
268.fi
269.RI
270.SH BUGS
271Only the most common file operations are implemented as of now:
272.BR open (),
273.BR read (),
274.BR fopen (),
275.BR fseek (),
276etc. One important unimplemented function is
277.BR fscanf ().
278
279Network fuzzing is not implemented. It is not yet possible to insert or
280drop bytes from the input, to fuzz according to the file format, or to do
281all these complicated operations. They are planned, though.
282
283Due to
284.B zzuf
285using
286.B LD_PRELOAD
287to run its child processes, it will fail in the presence of any mechanism
288that disables preloading. For instance setuid root binaries will not be
289fuzzed.
290.RI
291.SH AUTHOR
292.B Zzuf
293and this manual page were written by Sam Hocevar <sam@zoy.org>. There is a
294webpage available at http://sam.zoy.org/zzuf/
Note: See TracBrowser for help on using the repository browser.