source: zzuf/trunk/doc/zzuf.1 @ 1616

Last change on this file since 1616 was 1616, checked in by Sam Hocevar, 14 years ago
  • Documented stdin behaviour.
File size: 12.2 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdinqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
6.br
7               [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
8.br
9               [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
10.br
11               [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fIARGS\fR]...]
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBZzuf\fR is a transparent application input fuzzer. It works by intercepting
19file and network operations and changing random bits in the program's input.
20\fBZzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBZzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard output, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.PP
35When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
36if the \fBcat\fR utility had been called:
37.PP
38\fB    zzuf < /dev/zero\fR
39.SH OPTIONS
40.TP
41\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
42Automatically terminate child processes that output more than \fIn\fR bytes
43on the standard output and standard error channels. This is useful to detect
44infinite loops. See also the \fB\-T\fR flag.
45.TP
46\fB\-c\fR, \fB\-\-cmdline\fR
47Only fuzz files whose name is specified in the target application's command
48line. This is mostly a shortcut to avoid specifiying twice the argument:
49
50\fB    zzuf \-c cat file.txt\fR
51
52has the same effect as
53
54\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
55
56See the \fB\-I\fR flag for more information on restricting fuzzing to
57specific files.
58.TP
59\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
60Stop forking when at least \fIn\fR children have crashed. The default value
61is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
62is considered to have crashed if any signal (such as, but not limited to,
63\fBSIGSEGV\fR) caused it to exit.
64
65This option is only relevant if the \fB\-s\fR flag is used with an interval
66argument.
67.TP
68\fB\-d\fR, \fB\-\-debug\fR
69Activate the display of debug messages.
70.TP
71\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
72Do not fuzz files whose name matches the \fIregex\fR regular expression. This
73option supersedes anything that is specified by the \fB\-I\fR flag. Use this
74for instance if you are unsure of what files your application is going to read
75and do not want it to fuzz files in the \fB/etc\fR directory.
76
77Multiple \fB\-E\fR flags can be specified, in which case files matching any one
78of the regular expressions will be ignored.
79.TP
80\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
81Specify the number of simultaneous children that can be run.
82
83This option is only relevant if the \fB\-s\fR flag is used with an interval
84argument.
85.TP
86\fB\-i\fR, \fB\-\-stdin\fR
87Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
88.TP
89\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
90Only fuzz files whose name matches the \fIregex\fR regular expression. Use
91this for instance if your application reads configuration files at startup
92and you only want specific files to be fuzzed.
93
94Multiple \fB\-I\fR flags can be specified, in which case files matching any one
95of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
96.TP
97\fB\-n\fR, \fB\-\-network\fR
98Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
99.TP
100\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
101Protect a list of characters so that if they appear in input data that would
102normally be fuzzed, they are left unmodified instead.
103
104Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
105The sequences interpreted by \fBzzuf\fR are:
106.RS
107.TP
108\fB\\n\fR
109new line
110.TP
111\fB\\r\fR
112return
113.TP
114\fB\\t\fR
115tabulation
116.TP
117\fB\\\fR\fINNN\fR
118the byte whose octal value is \fINNN\fR
119.TP
120\fB\\x\fR\fINN\fR
121the byte whose hexadecimal value is \fINN\fR
122.TP
123\fB\\\\\fR
124backslash (\(oq\\\(cq)
125.RE
126.IP
127You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
128bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq.
129
130The statistical outcome of this option should not be overlooked: if characters
131are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
132on the data being fuzzed. For instance, asking to fuzz 1% of input bits
133(\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
134result in an actual average fuzzing ratio of 0.9% with truly random data,
1350.3% with random ASCII data and 0.2% with standard English text.
136
137See also the \fB\-R\fR flag.
138.TP
139\fB\-q\fR, \fB\-\-quiet\fR
140Hide the output of the fuzzed application. This is useful if the application
141is very verbose but only its exit code or signaled status is really useful to
142you.
143.TP
144\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
145Specify the proportion of bits that will be randomly fuzzed. A value of 0
146will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
147bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
148the input files undiscernible from random data. The default fuzzing ratio
149is 0.004 (fuzz 0.4% of the files' bits).
150.TP
151\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
152Refuse a list of characters by not fuzzing bytes that would otherwise be
153changed to a character that is in \fIlist\fR. If the original byte is already
154in \fIlist\fR, it is left unchanged.
155
156See the \fB\-P\fR option for a description of \fIlist\fR.
157.TP
158\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
159.PD 0
160.TP
161\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
162.PD
163Specify the random seed to use for fuzzing, or an interval of random seeds.
164Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
165the same way, even with a different target application. The purpose of this is
166to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
167causes the target application to crash.
168
169If an interval is specified, \fBzzuf\fR will run the application several times,
170each time with a different seed, and report the behaviour of each run.
171.TP
172\fB\-S\fR, \fB\-\-signal\fR
173Prevent children from installing signal handlers for signals that usually
174cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
175\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
176platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
177\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
178simply crash. If you do not want core dumps, you should set appropriate limits
179with the \fBlimit coredumpsize\fR command. See your shell's documentation on
180how to set such limits.
181.TP
182\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
183Automatically terminate child processes that run for more than \fIn\fR
184seconds. This is useful to detect infinite loops or processes stuck in other
185situations. See also the \fB\-B\fR flag.
186.TP
187\fB\-h\fR, \fB\-\-help\fR
188Display a short help message and exit.
189.TP
190\fB\-v\fR, \fB\-\-version\fR
191Output version information and exit.
192.SH EXAMPLES
193.PP
194Fuzz the input of the \fBcat\fR program using default settings:
195.PP
196\fB    zzuf cat /etc/motd\fR
197.PP
198Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
199.PP
200\fB    zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR
201.PP
202Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
203and prevent non-ASCII characters from appearing in the output:
204.PP
205\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
206.PP
207Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
208original input and excluding \fB.xml\fR files from fuzzing (because
209\fBconvert\fR will also open its own XML configuration files and we do not
210want \fBzzuf\fR to fuzz them):
211.PP
212\fB    zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR
213.PP
214Fuzz the input of \fBVLC\fR, using file \fBmovie.avi\fR as the original input
215and restricting fuzzing to filenames that appear on the command line
216(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
217can be read by \fBVLC\fR to reproduce the same behaviour without using
218\fBzzuf\fR:
219.PP
220\fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
221\fB    zzuf \-c \-s 87423 \-r 0.01 cp movie.avi fuzzy\-movie.avi\fR
222\fB    vlc fuzzy\-movie.avi\fR
223.PP
224Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999
225(\fB\-s\ 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
226launching up to three simultaneous child processes (\fB\-F\ 3\fR), killing
227\fBMPlayer\fR if it takes more than one minute to read the file (\fB\-T\ 60\fR)
228and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
229.PP
230\fB    zzuf \-c \-r 0.02 \-q \-s 0:10000 \-F 3 \-T 60 \-S \\\fR
231\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
232.SH RESTRICTIONS
233.PP
234Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most
235Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child
236processes, it will fail in the presence of any mechanism that disables
237preloading. For instance setuid root binaries will not be fuzzed when run
238as an unprivileged user.
239.PP
240For the same reasons, \fBzzuf\fR will also not work with statically linked
241binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
242where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
243.PP
244Though best efforts are made, identical behaviour for different versions of
245\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
246different operating systems and with different target programs is only
247guaranteed when the same version of \fBzzuf\fR is being used.
248.SH BUGS
249.PP
250\fBZzuf\fR probably does not behave correctly with 64-bit offsets.
251.PP
252It is not yet possible to insert or drop bytes from the input, to fuzz
253according to the file format, to swap bytes, etc. More advanced fuzzing
254methods are planned.
255.PP
256As of now, \fBzzuf\fR does not really support multithreaded applications. The
257behaviour with multithreaded applications where more than one thread does file
258descriptor operations is undefined.
259.SH NOTES
260In order to intercept file and network operations and signal handlers,
261\fBzzuf\fR diverts and reimplements the following functions, which can
262be private libc symbols, too:
263.TP
264Unix file descriptor handling:
265\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBaccept\fR(), \fBsocket\fR(),
266\fBmmap\fR(), \fBmunmap\fR(), \fBclose\fR()
267.TP
268Standard IO streams:
269\fBfopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(), \fBfread\fR(),
270\fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(), \fBfclose\fR()
271.TP
272Linux-specific:
273\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
274\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR()
275.TP
276BSD-specific:
277\fBfgetln\fR(), \fB__srefill\fR()
278.TP
279Signal handling:
280\fBsignal\fR(), \fBsigaction\fR()
281.PP
282If an application manipulates file descriptors (reading data, seeking around)
283using functions that are not in that list, \fBzzuf\fR will not fuzz its
284input consistently and the results should not be trusted. You can use a tool
285such as \fBltrace(1)\fR on Linux to know the missing functions.
286.PP
287On some systems, such as FreeBSD, \fB__srefill\fR() is enough to monitor all
288standard IO streams functions. On other systems each function needs to be
289reimplemented on a case by case basis. One important unimplemented function
290is \fBfscanf\fR(), because of its complexity. Missing functions will be
291implemented based upon user request.
292.SH HISTORY
293.PP
294\fBZzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
295multimedia stream corrupter used to find bugs in the \fBVLC\fR media player.
296.SH AUTHOR
297.PP
298Copyright \(co 2002, 2007 Sam Hocevar <sam@zoy.org>.
299.PP
300\fBZzuf\fR and this manual page are free software. They come without any
301warranty, to the extent permitted by applicable law. You can redistribute
302them and/or modify them under the terms of the Do What The Fuck You Want
303To Public License, Version 2, as published by Sam Hocevar. See
304\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
305.PP
306\fBZzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.