source: zzuf/trunk/doc/zzuf.1 @ 1557

Last change on this file since 1557 was 1557, checked in by Sam Hocevar, 14 years ago
  • Improved manpage, especially the statistical effect of using -R.
File size: 10.0 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdiqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7              [\fB\-F\fR \fIchildren\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9              [\fB\-P\fR \fIlist\fR] [\fB\-R\fR \fIlist\fR]
10.br
11              [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fIPROGRAM\fR [\fIARGS\fR]...
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
19file operations and changing random bits in the program's input. \fBZzuf\fR's
20behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBZzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard output, eg:
26.PP
27.RS
28.nf
29\fBzzuf cat /dev/zero\fR
30.fi
31.RE
32.PP
33If you want to specify flags for your application, put a '\fB\-\-\fR'
34marker before them on the command line (otherwise \fBzzuf\fR will try to
35interpret them as arguments for itself), eg:
36.PP
37.RS
38.nf
39\fBzzuf \-B 1000 cat \-\- \-v /dev/zero\fR
40.fi
41.RE
42.SH OPTIONS
43.TP
44\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
45Automatically terminate child processes that output more than \fIn\fR bytes
46on the standard output and standard error channels. This is useful to detect
47infinite loops. See also the \fB\-T\fR flag.
48.TP
49\fB\-c\fR, \fB\-\-cmdline\fR
50Only fuzz files whose name is specified in the target application's command
51line. This is mostly a shortcut to avoid specifiying twice the argument:
52\fBzzuf \-c cat file.txt\fR has the same effect as \fBzzuf \-I
53\(dq^file\\.txt$\(dq cat file.txt\fR. See the \fB\-I\fR flag for more
54information.
55.TP
56\fB\-d\fR, \fB\-\-debug\fR
57Activate the display of debug messages.
58.TP
59\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
60Do not fuzz files whose name matches the \fIregex\fR regular expression. This
61option supersedes anything that is specified by the \fB\-I\fR flag. Use this
62for instance if you are unsure of what files your application is going to read
63and do not want it to fuzz files in the \fB/etc\fR directory.
64
65Multiple \fB\-E\fR flags can be specified, in which case files matching any one
66of the regular expressions will be ignored.
67.TP
68\fB\-F\fR, \fB\-\-fork\fR=\fIchildren\fR
69Specify the number of simultaneous children that can be run. This option is
70only useful if the \fB\-s\fR flag is used with an interval argument.
71.TP
72\fB\-i\fR, \fB\-\-stdin\fR
73Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
74.TP
75\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
76Only fuzz files whose name matches the \fIregex\fR regular expression. Use
77this for instance if your application reads configuration files at startup
78and you only want specific files to be fuzzed.
79
80Multiple \fB\-I\fR flags can be specified, in which case files matching any one
81of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
82.TP
83\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
84Protect a list of characters so that if they appear in input data that would
85normally be fuzzed, they are left unmodified instead.
86
87Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
88The sequences interpreted by \fBzzuf\fR are:
89.RS
90.TP
91\fB\\0\fR
92null byte
93.TP
94\fB\\n\fR
95new line
96.TP
97\fB\\r\fR
98return
99.TP
100\fB\\t\fR
101tabulation
102.TP
103\fB\\x\fR\fINN\fR
104the byte whose hexadecimal value is \fINN\fR
105.TP
106\fB\\\\\fR
107backslash ('\\')
108.RE
109.IP
110You can use '\fB-\fR' to specify ranges. For instance, to protect all bytes
111from '\fB\\x01\fR' to ' ', use '\fB\-P \(dq\\x01- \(dq\fR'.
112
113The statistical outcome of this option should not be overlooked. Because
114\fBzzuf\fR cannot know the nature of the input data beforehands and must
115fuzz it even if only one byte of data was received, protecting characters
116may change the meaning of the \fB\-r\fR flag depending on the data being
117fuzzed. For instance, asking to fuzz 1% of input bits and to protect
118lowercase characters (using '\fB\-r 0.01 \-P a-z\fR') will result in an
119actual average fuzzing ratio of 0.9% with truly random data, 0.3% with
120random ASCII data and 0.2% with a normal English text.
121
122See also the \fB\-R\fR flag.
123.TP
124\fB\-q\fR, \fB\-\-quiet\fR
125Hide the output of the fuzzed application. This is useful if the application
126is very verbose but only its exit code or signaled status is really useful to
127you.
128.TP
129\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
130Specify the proportion of bits that will be randomly fuzzed. A value of 0
131will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
132bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
133the input files undiscernible from random data. The default fuzzing ratio
134is 0.004 (fuzz 0.4% of the files' bits).
135.TP
136\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
137Refuse a list of characters by not fuzzing bytes that would otherwise be
138changed to a character that is in \fIlist\fR. If the original byte is already
139in \fIlist\fR, it is left unchanged.
140
141See the \fB\-P\fR option for a description of \fIlist\fR.
142.TP
143\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
144.PD 0
145.TP
146\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
147.PD
148Specify the random seed to use for fuzzing, or an interval of random seeds.
149Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
150the same way, even with a different target application. The purpose of this is
151to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
152causes the target application to crash.
153
154If an interval is specified, \fBzzuf\fR will run the application several times,
155each time with a different seed, and report the behaviour of each run.
156.TP
157\fB\-S\fR, \fB\-\-signal\fR
158Prevent children from installing signal handlers for signals that usually
159cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
160\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
161platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
162\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
163simply crash. If you do not want core dumps, you should set appropriate limits
164with the \fBlimit coredumpsize\fR command. See your shell's documentation on
165how to set such limits.
166.TP
167\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
168Automatically terminate child processes that run for more than \fIn\fR
169seconds. This is useful to detect infinite loops or processes stuck in other
170situations. See also the \fB\-B\fR flag.
171.TP
172\fB\-h\fR, \fB\-\-help\fR
173Display a short help message and exit.
174.TP
175\fB\-v\fR, \fB\-\-version\fR
176Output version information and exit.
177.SH EXAMPLES
178.PP
179Fuzz the input of the \fBcat\fR program using default settings:
180.PP
181.RS
182.nf
183\fBzzuf cat /etc/motd\fR
184.fi
185.RE
186.PP
187Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
188.PP
189.RS
190.nf
191\fBzzuf -s 94324 -r 0.01 cat /etc/motd\fR
192.fi
193.RE
194.PP
195Fuzz the input of the \fBcat\fR program but do not fuzz the newline character
196and prevent non-ASCII characters from appearing in the output:
197.PP
198.RS
199.nf
200\fBzzuf -P \(dq\\n\(dq -R \(dq\\0-\\x1f\\x7f-\\xff\(dq cat /etc/motd\fR
201.fi
202.RE
203.PP
204Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
205original input and excluding \fB.xml\fR files from fuzzing (because
206\fBconvert\fR will also open its own XML configuration files and we do not
207want \fBzzuf\fR to fuzz them):
208.PP
209.RS
210.nf
211\fBzzuf -E \(dq\\.xml$\(dq convert -- foo.jpeg -format tga /dev/null\fR
212.fi
213.RE
214.PP
215Fuzz the input of \fBvlc\fR, using file \fBmovie.avi\fR as the original input
216and restricting fuzzing to filenames that appear on the command line
217(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that can
218be read by \fBvlc\fR to reproduce the same behaviour without using \fBzzuf\fR:
219.PP
220.RS
221.nf
222\fBzzuf -c -s 87423 -r 0.01 vlc movie.avi\fR
223\fBzzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR
224\fBvlc fuzzy-movie.avi\fR
225.fi
226.RE
227.PP
228Fuzz 2% of \fBmplayer\fR's input bits (\fB\-r 0.02\fR) with seeds 0 to 9999
229(\fB\-s 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
230launching up to three simultaneous child processes (\fB\-F 3\fR), killing
231\fBmplayer\fR if it takes more than one minute to read the file (\fB\-T 60\fR)
232and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
233.PP
234.RS
235.nf
236\fBzzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR
237\fB  mplayer -- -benchmark -vo null -fps 1000 movie.avi\fR
238.fi
239.RE
240.SH BUGS
241.PP
242Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most
243Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child
244processes, it will fail in the presence of any mechanism that disables
245preloading. For instance setuid root binaries will not be fuzzed when run
246as an unprivileged user. This limitation will probably not be addressed.
247.PP
248Network fuzzing is not implemented. This feature will be added.
249.PP
250It is not yet possible to insert or drop bytes from the input, to fuzz
251according to the file format, or to do all these complicated operations. These
252features are planned.
253.PP
254Only the most common file operations are implemented: \fBopen\fR(),
255\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented
256function is \fBfscanf\fR(). These features will be implemented based on user
257request.
258.PP
259As of now, \fBzzuf\fR does not really support multithreaded applications. The
260behaviour with multithreaded applications where more than one thread does file
261descriptor operations is undefined. This bug will be fixed.
262.PP
263Though best efforts are made, the reproducibility of \fBzzuf\fR's behaviour
264is guaranteed for subsequent calls with the same arguments but not for calls
265with different \fBzzuf\fR versions.
266.SH AUTHOR
267.PP
268Copyright \(co 2006, 2007 Sam Hocevar <sam@zoy.org>.
269.PP
270\fBZzuf\fR and this manual page are free software. They come without any
271warranty, to the extent permitted by applicable law. You can redistribute
272them and/or modify them under the terms of the Do What The Fuck You Want
273To Public License, Version 2, as published by Sam Hocevar. See
274\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
275.PP
276\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.