source: zzuf/trunk/doc/zzuf.1 @ 1575

Last change on this file since 1575 was 1575, checked in by Sam Hocevar, 14 years ago
  • Another note in the manpage.
File size: 11.4 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdinqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7               [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9               [\fB\-P\fR \fIlist\fR] [\fB\-R\fR \fIlist\fR]
10.br
11               [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] \fIPROGRAM\fR [\fIARGS\fR]...
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
19file and network operations and changing random bits in the program's input.
20\fBZzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBZzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard output, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.SH OPTIONS
35.TP
36\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
37Automatically terminate child processes that output more than \fIn\fR bytes
38on the standard output and standard error channels. This is useful to detect
39infinite loops. See also the \fB\-T\fR flag.
40.TP
41\fB\-c\fR, \fB\-\-cmdline\fR
42Only fuzz files whose name is specified in the target application's command
43line. This is mostly a shortcut to avoid specifiying twice the argument:
44
45\fB    zzuf \-c cat file.txt\fR
46
47has the same effect as
48
49\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
50
51See the \fB\-I\fR flag for more information on restricting fuzzing to
52specific files.
53.TP
54\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
55Stop forking when at least \fIn\fR children have crashed. The default value
56is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
57is considered to have crashed if any signal (such as, but not limited to,
58\fBSIGSEGV\fR) caused it to exit.
59
60This option is only relevant if the \fB\-s\fR flag is used with an interval
61argument.
62.TP
63\fB\-d\fR, \fB\-\-debug\fR
64Activate the display of debug messages.
65.TP
66\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
67Do not fuzz files whose name matches the \fIregex\fR regular expression. This
68option supersedes anything that is specified by the \fB\-I\fR flag. Use this
69for instance if you are unsure of what files your application is going to read
70and do not want it to fuzz files in the \fB/etc\fR directory.
71
72Multiple \fB\-E\fR flags can be specified, in which case files matching any one
73of the regular expressions will be ignored.
74.TP
75\fB\-F\fR, \fB\-\-max-forks\fR=\fIforks\fR
76Specify the number of simultaneous children that can be run.
77
78This option is only relevant if the \fB\-s\fR flag is used with an interval
79argument.
80.TP
81\fB\-i\fR, \fB\-\-stdin\fR
82Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
83.TP
84\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
85Only fuzz files whose name matches the \fIregex\fR regular expression. Use
86this for instance if your application reads configuration files at startup
87and you only want specific files to be fuzzed.
88
89Multiple \fB\-I\fR flags can be specified, in which case files matching any one
90of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
91.TP
92\fB\-n\fR, \fB\-\-network\fR
93Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
94.TP
95\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
96Protect a list of characters so that if they appear in input data that would
97normally be fuzzed, they are left unmodified instead.
98
99Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
100The sequences interpreted by \fBzzuf\fR are:
101.RS
102.TP
103\fB\\n\fR
104new line
105.TP
106\fB\\r\fR
107return
108.TP
109\fB\\t\fR
110tabulation
111.TP
112\fB\\\fR\fINNN\fR
113the byte whose octal value is \fINNN\fR
114.TP
115\fB\\x\fR\fINN\fR
116the byte whose hexadecimal value is \fINN\fR
117.TP
118\fB\\\\\fR
119backslash (\(oq\\\(cq)
120.RE
121.IP
122You can use \(oq\fB-\fR\(cq to specify ranges. For instance, to protect all
123bytes from '\\001' to '/', use \(oq\fB\-P\ \(dq\\001-/\(dq\fR\(cq.
124
125The statistical outcome of this option should not be overlooked: if characters
126are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
127on the data being fuzzed. For instance, asking to fuzz 1% of input bits
128(\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a-z\fR) will
129result in an actual average fuzzing ratio of 0.9% with truly random data,
1300.3% with random ASCII data and 0.2% with standard English text.
131
132See also the \fB\-R\fR flag.
133.TP
134\fB\-q\fR, \fB\-\-quiet\fR
135Hide the output of the fuzzed application. This is useful if the application
136is very verbose but only its exit code or signaled status is really useful to
137you.
138.TP
139\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
140Specify the proportion of bits that will be randomly fuzzed. A value of 0
141will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
142bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
143the input files undiscernible from random data. The default fuzzing ratio
144is 0.004 (fuzz 0.4% of the files' bits).
145.TP
146\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
147Refuse a list of characters by not fuzzing bytes that would otherwise be
148changed to a character that is in \fIlist\fR. If the original byte is already
149in \fIlist\fR, it is left unchanged.
150
151See the \fB\-P\fR option for a description of \fIlist\fR.
152.TP
153\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
154.PD 0
155.TP
156\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
157.PD
158Specify the random seed to use for fuzzing, or an interval of random seeds.
159Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
160the same way, even with a different target application. The purpose of this is
161to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
162causes the target application to crash.
163
164If an interval is specified, \fBzzuf\fR will run the application several times,
165each time with a different seed, and report the behaviour of each run.
166.TP
167\fB\-S\fR, \fB\-\-signal\fR
168Prevent children from installing signal handlers for signals that usually
169cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
170\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
171platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
172\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
173simply crash. If you do not want core dumps, you should set appropriate limits
174with the \fBlimit coredumpsize\fR command. See your shell's documentation on
175how to set such limits.
176.TP
177\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
178Automatically terminate child processes that run for more than \fIn\fR
179seconds. This is useful to detect infinite loops or processes stuck in other
180situations. See also the \fB\-B\fR flag.
181.TP
182\fB\-h\fR, \fB\-\-help\fR
183Display a short help message and exit.
184.TP
185\fB\-v\fR, \fB\-\-version\fR
186Output version information and exit.
187.SH EXAMPLES
188.PP
189Fuzz the input of the \fBcat\fR program using default settings:
190.PP
191\fB    zzuf cat /etc/motd\fR
192.PP
193Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
194.PP
195\fB    zzuf -s 94324 -r 0.01 cat /etc/motd\fR
196.PP
197Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
198and prevent non-ASCII characters from appearing in the output:
199.PP
200\fB    zzuf -P \(aq\\n\(aq -R \(aq\\x00-\\x1f\\x7f-\\xff\(aq cat /etc/motd\fR
201.PP
202Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
203original input and excluding \fB.xml\fR files from fuzzing (because
204\fBconvert\fR will also open its own XML configuration files and we do not
205want \fBzzuf\fR to fuzz them):
206.PP
207\fB    zzuf -E \(aq\\.xml$\(aq convert -- foo.jpeg -format tga /dev/null\fR
208.PP
209Fuzz the input of \fBVLC\fR, using file \fBmovie.avi\fR as the original input
210and restricting fuzzing to filenames that appear on the command line
211(\fB\-c\fR), then generate \fBfuzzy-movie.avi\fR which is a file that
212can be read by \fBVLC\fR to reproduce the same behaviour without using
213\fBzzuf\fR:
214.PP
215\fB    zzuf -c -s 87423 -r 0.01 vlc movie.avi\fR
216\fB    zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR
217\fB    vlc fuzzy-movie.avi\fR
218.PP
219Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999
220(\fB\-s\ 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
221launching up to three simultaneous child processes (\fB\-F\ 3\fR), killing
222\fBMPlayer\fR if it takes more than one minute to read the file (\fB\-T\ 60\fR)
223and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
224.PP
225\fB    zzuf -c -r 0.02 -q -s 0:10000 -F 3 -T 60 -S \\\fR
226\fB      mplayer -- -benchmark -vo null -fps 1000 movie.avi\fR
227.SH RESTRICTIONS
228.PP
229Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most
230Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child
231processes, it will fail in the presence of any mechanism that disables
232preloading. For instance setuid root binaries will not be fuzzed when run
233as an unprivileged user.
234.PP
235Though best efforts are made, identical behaviour for different versions of
236\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
237different operating systems and with different target programs is only
238guaranteed when the same version of \fBzzuf\fR is being used.
239.SH BUGS
240.PP
241It is not yet possible to insert or drop bytes from the input, to fuzz
242according to the file format, to swap bytes, etc. More advanced fuzzing
243methods are planned.
244.PP
245As of now, \fBzzuf\fR does not really support multithreaded applications. The
246behaviour with multithreaded applications where more than one thread does file
247descriptor operations is undefined.
248.SH NOTES
249In order to intercept file and network operations and signal handlers,
250\fBzzuf\fR diverts and reimplements the following functions:
251.TP
252Unix low-level file and socket handling:
253\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBaccept\fR(), \fBsocket\fR(),
254\fBclose\fR()
255.TP
256Standard IO streams:
257\fBfopen\fR(), \fBfseek\fR(), \fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(),
258\fBfgets\fR(), \fBungetc\fR(), \fBfclose\fR()
259.TP
260GNU libc specific:
261\fBopen64\fR(), \fBlseek64\fR(), \fBgetline\fR(), \fBgetdelim\fR(),
262\fB__getdelim\fR()
263.TP
264BSD specific:
265\fBfgetln\fR()
266.TP
267Signal handling:
268\fBsignal\fR(), \fBsigaction\fR()
269.PP
270If an application manipulates file descriptors (reading data, seeking around)
271using functions that are not in that list, \fBzzuf\fR will not fuzz its
272input consistently and the results should not be trusted. You can use a tool
273such as \fBltrace(1)\fR on Linux to know the missing functions.
274.PP
275One important unimplemented function is \fBfscanf\fR(), mostly because of its
276complexity. Missing functions will be implemented based upon user request.
277.SH HISTORY
278.PP
279\fBZzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
280multimedia stream corrupter used to find bugs in the \fBVLC\fR media player.
281.SH AUTHOR
282.PP
283Copyright \(co 2002, 2007 Sam Hocevar <sam@zoy.org>.
284.PP
285\fBZzuf\fR and this manual page are free software. They come without any
286warranty, to the extent permitted by applicable law. You can redistribute
287them and/or modify them under the terms of the Do What The Fuck You Want
288To Public License, Version 2, as published by Sam Hocevar. See
289\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
290.PP
291\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.