source: zzuf/trunk/doc/zzuf.1 @ 1564

Last change on this file since 1564 was 1564, checked in by Sam Hocevar, 14 years ago
  • Minor layout tuning.
File size: 10.3 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdinqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7               [\fB\-F\fR \fIchildren\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9               [\fB\-P\fR \fIlist\fR] [\fB\-R\fR \fIlist\fR]
10.br
11               [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fIPROGRAM\fR [\fIARGS\fR]...
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
19file operations and changing random bits in the program's input. \fBZzuf\fR's
20behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBZzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard output, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.SH OPTIONS
35.TP
36\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
37Automatically terminate child processes that output more than \fIn\fR bytes
38on the standard output and standard error channels. This is useful to detect
39infinite loops. See also the \fB\-T\fR flag.
40.TP
41\fB\-c\fR, \fB\-\-cmdline\fR
42Only fuzz files whose name is specified in the target application's command
43line. This is mostly a shortcut to avoid specifiying twice the argument:
44
45\fB    zzuf \-c cat file.txt\fR
46
47has the same effect as
48
49\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
50
51See the \fB\-I\fR flag for more information.
52.TP
53\fB\-d\fR, \fB\-\-debug\fR
54Activate the display of debug messages.
55.TP
56\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
57Do not fuzz files whose name matches the \fIregex\fR regular expression. This
58option supersedes anything that is specified by the \fB\-I\fR flag. Use this
59for instance if you are unsure of what files your application is going to read
60and do not want it to fuzz files in the \fB/etc\fR directory.
61
62Multiple \fB\-E\fR flags can be specified, in which case files matching any one
63of the regular expressions will be ignored.
64.TP
65\fB\-F\fR, \fB\-\-fork\fR=\fIchildren\fR
66Specify the number of simultaneous children that can be run. This option is
67only useful if the \fB\-s\fR flag is used with an interval argument.
68.TP
69\fB\-i\fR, \fB\-\-stdin\fR
70Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
71.TP
72\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
73Only fuzz files whose name matches the \fIregex\fR regular expression. Use
74this for instance if your application reads configuration files at startup
75and you only want specific files to be fuzzed.
76
77Multiple \fB\-I\fR flags can be specified, in which case files matching any one
78of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
79.TP
80\fB\-n\fR, \fB\-\-network\fR
81Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
82.TP
83\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
84Protect a list of characters so that if they appear in input data that would
85normally be fuzzed, they are left unmodified instead.
86
87Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
88The sequences interpreted by \fBzzuf\fR are:
89.RS
90.TP
91\fB\\n\fR
92new line
93.TP
94\fB\\r\fR
95return
96.TP
97\fB\\t\fR
98tabulation
99.TP
100\fB\\\fR\fINNN\fR
101the byte whose octal value is \fINNN\fR
102.TP
103\fB\\x\fR\fINN\fR
104the byte whose hexadecimal value is \fINN\fR
105.TP
106\fB\\\\\fR
107backslash (\(oq\\\(cq)
108.RE
109.IP
110You can use \(oq\fB-\fR\(cq to specify ranges. For instance, to protect all
111bytes from '\\001' to '/', use \(oq\fB\-P\ \(dq\\001-/\(dq\fR\(cq.
112
113The statistical outcome of this option should not be overlooked: if characters
114are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
115on the data being fuzzed. For instance, asking to fuzz 1% of input bits
116(\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a-z\fR) will
117result in an actual average fuzzing ratio of 0.9% with truly random data,
1180.3% with random ASCII data and 0.2% with standard English text.
119
120See also the \fB\-R\fR flag.
121.TP
122\fB\-q\fR, \fB\-\-quiet\fR
123Hide the output of the fuzzed application. This is useful if the application
124is very verbose but only its exit code or signaled status is really useful to
125you.
126.TP
127\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
128Specify the proportion of bits that will be randomly fuzzed. A value of 0
129will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
130bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
131the input files undiscernible from random data. The default fuzzing ratio
132is 0.004 (fuzz 0.4% of the files' bits).
133.TP
134\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
135Refuse a list of characters by not fuzzing bytes that would otherwise be
136changed to a character that is in \fIlist\fR. If the original byte is already
137in \fIlist\fR, it is left unchanged.
138
139See the \fB\-P\fR option for a description of \fIlist\fR.
140.TP
141\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
142.PD 0
143.TP
144\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
145.PD
146Specify the random seed to use for fuzzing, or an interval of random seeds.
147Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
148the same way, even with a different target application. The purpose of this is
149to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
150causes the target application to crash.
151
152If an interval is specified, \fBzzuf\fR will run the application several times,
153each time with a different seed, and report the behaviour of each run.
154.TP
155\fB\-S\fR, \fB\-\-signal\fR
156Prevent children from installing signal handlers for signals that usually
157cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
158\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
159platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
160\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
161simply crash. If you do not want core dumps, you should set appropriate limits
162with the \fBlimit coredumpsize\fR command. See your shell's documentation on
163how to set such limits.
164.TP
165\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
166Automatically terminate child processes that run for more than \fIn\fR
167seconds. This is useful to detect infinite loops or processes stuck in other
168situations. See also the \fB\-B\fR flag.
169.TP
170\fB\-h\fR, \fB\-\-help\fR
171Display a short help message and exit.
172.TP
173\fB\-v\fR, \fB\-\-version\fR
174Output version information and exit.
175.SH EXAMPLES
176.PP
177Fuzz the input of the \fBcat\fR program using default settings:
178.PP
179\fB    zzuf cat /etc/motd\fR
180.PP
181Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
182.PP
183\fB    zzuf -s 94324 -r 0.01 cat /etc/motd\fR
184.PP
185Fuzz the input of the \fBcat\fR program but do not fuzz the newline character
186and prevent non-ASCII characters from appearing in the output:
187.PP
188\fB    zzuf -P \(aq\\n\(aq -R \(aq\\x00-\\x1f\\x7f-\\xff\(aq cat /etc/motd\fR
189.PP
190Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
191original input and excluding \fB.xml\fR files from fuzzing (because
192\fBconvert\fR will also open its own XML configuration files and we do not
193want \fBzzuf\fR to fuzz them):
194.PP
195\fB    zzuf -E \(aq\\.xml$\(aq convert -- foo.jpeg -format tga /dev/null\fR
196.PP
197Fuzz the input of \fBVLC\fR, using file \fBmovie.avi\fR as the original input
198and restricting fuzzing to filenames that appear on the command line
199(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that
200can be read by \fBVLC\fR to reproduce the same behaviour without using
201\fBzzuf\fR:
202.PP
203\fB    zzuf -c -s 87423 -r 0.01 vlc movie.avi\fR
204\fB    zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR
205\fB    vlc fuzzy-movie.avi\fR
206.PP
207Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999
208(\fB\-s\ 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
209launching up to three simultaneous child processes (\fB\-F\ 3\fR), killing
210\fBMPlayer\fR if it takes more than one minute to read the file (\fB\-T\ 60\fR)
211and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
212.PP
213\fB    zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR
214\fB      mplayer -- -benchmark -vo null -fps 1000 movie.avi\fR
215.SH BUGS
216.PP
217Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most
218Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child
219processes, it will fail in the presence of any mechanism that disables
220preloading. For instance setuid root binaries will not be fuzzed when run
221as an unprivileged user. This limitation will probably not be addressed.
222.PP
223It is not yet possible to insert or drop bytes from the input, to fuzz
224according to the file format, or to do all these complicated operations. These
225features are planned.
226.PP
227Only the most common file operations are implemented: \fBopen\fR(),
228\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented
229function is \fBfscanf\fR(). These features will be implemented based on user
230request.
231.PP
232As of now, \fBzzuf\fR does not really support multithreaded applications. The
233behaviour with multithreaded applications where more than one thread does file
234descriptor operations is undefined. This bug will be fixed.
235.PP
236Though best efforts are made, identical behaviour for different versions of
237\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
238different operating systems and with different target programs is only
239guaranteed when the same version of \fBzzuf\fR is used.
240.SH HISTORY
241.PP
242\fBZzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
243multimedia stream corrupter used to find bugs in the \fBVLC\fR media player.
244\fBZzuf\fR is a complete rewrite of that tool.
245.SH AUTHOR
246.PP
247Copyright \(co 2006, 2007 Sam Hocevar <sam@zoy.org>.
248.PP
249\fBZzuf\fR and this manual page are free software. They come without any
250warranty, to the extent permitted by applicable law. You can redistribute
251them and/or modify them under the terms of the Do What The Fuck You Want
252To Public License, Version 2, as published by Sam Hocevar. See
253\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
254.PP
255\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.