source: zzuf/trunk/doc/zzuf.1 @ 1660

Last change on this file since 1660 was 1660, checked in by Sam Hocevar, 14 years ago
  • Implemented -D/--delay to avoid fork bombs.
File size: 13.6 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-cdiMnqSx\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR]
6.br
7                 [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
8.br
9                 [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
10.br
11                 [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-v\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
19file and network operations and changing random bits in the program's input.
20\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBzzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard output, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.PP
35When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
36if the \fBcat\fR utility had been called:
37.PP
38\fB    zzuf < /dev/zero\fR
39.SH OPTIONS
40.TP
41\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
42Automatically terminate child processes that output more than \fIn\fR bytes
43on the standard output and standard error channels. This is useful to detect
44infinite loops. See also the \fB\-T\fR flag.
45.TP
46\fB\-c\fR, \fB\-\-cmdline\fR
47Only fuzz files whose name is specified in the target application's command
48line. This is mostly a shortcut to avoid specifying twice the argument:
49
50\fB    zzuf \-c cat file.txt\fR
51
52has the same effect as
53
54\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
55
56See the \fB\-I\fR flag for more information on restricting fuzzing to
57specific files.
58.TP
59\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
60Stop forking when at least \fIn\fR children have crashed. The default value
61is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
62is considered to have crashed if any signal (such as, but not limited to,
63\fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
64also include processes that exit with a non-zero status.
65
66This option is only relevant if the \fB\-s\fR flag is used with an interval
67argument.
68.TP
69\fB\-d\fR, \fB\-\-debug\fR
70Activate the display of debug messages.
71.TP
72\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
73Do not launch more than one process every \fIdelay\fR seconds. This option
74should be used together with \fB\-F\fR to avoid fork bombs.
75.TP
76\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
77Do not fuzz files whose name matches the \fIregex\fR regular expression. This
78option supersedes anything that is specified by the \fB\-I\fR flag. Use this
79for instance if you are unsure of what files your application is going to read
80and do not want it to fuzz files in the \fB/etc\fR directory.
81
82Multiple \fB\-E\fR flags can be specified, in which case files matching any one
83of the regular expressions will be ignored.
84.TP
85\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
86Specify the number of simultaneous children that can be run.
87
88This option is only relevant if the \fB\-s\fR flag is used with an interval
89argument. See also the \fB\-D\fR flag.
90.TP
91\fB\-i\fR, \fB\-\-stdin\fR
92Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
93.TP
94\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
95Only fuzz files whose name matches the \fIregex\fR regular expression. Use
96this for instance if your application reads configuration files at startup
97and you only want specific files to be fuzzed.
98
99Multiple \fB\-I\fR flags can be specified, in which case files matching any one
100of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
101.TP
102\fB\-m\fR, \fB\-\-md5\fR
103Instead of displaying the program's standard output, just print the MD5 digest
104of that output. The standard error channel is left untouched.
105.TP
106\fB\-M\fR, \fB\-\-max-memory\fR=\fImegabytes\fR
107Specify the maximum amount of memory, in megabytes, that children are allowed
108to allocate. This is useful to detect infinite loops that eat up a lot of
109memory. The value should set reasonably high so as not to interfer with normal
110program operation.
111
112\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
113relies on the operating system's ability to enforce such limitations.
114.TP
115\fB\-n\fR, \fB\-\-network\fR
116Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
117.TP
118\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
119Protect a list of characters so that if they appear in input data that would
120normally be fuzzed, they are left unmodified instead.
121
122Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
123The sequences interpreted by \fBzzuf\fR are:
124.RS
125.TP
126\fB\\n\fR
127new line
128.TP
129\fB\\r\fR
130return
131.TP
132\fB\\t\fR
133tabulation
134.TP
135\fB\\\fR\fINNN\fR
136the byte whose octal value is \fINNN\fR
137.TP
138\fB\\x\fR\fINN\fR
139the byte whose hexadecimal value is \fINN\fR
140.TP
141\fB\\\\\fR
142backslash (\(oq\\\(cq)
143.RE
144.IP
145You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
146bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq.
147
148The statistical outcome of this option should not be overlooked: if characters
149are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
150on the data being fuzzed. For instance, asking to fuzz 1% of input bits
151(\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
152result in an actual average fuzzing ratio of 0.9% with truly random data,
1530.3% with random ASCII data and 0.2% with standard English text.
154
155See also the \fB\-R\fR flag.
156.TP
157\fB\-q\fR, \fB\-\-quiet\fR
158Hide the output of the fuzzed application. This is useful if the application
159is very verbose but only its exit code or signaled status is really useful to
160you.
161.TP
162\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
163Specify the proportion of bits that will be randomly fuzzed. A value of 0
164will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
165bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
166the input files undiscernible from random data. The default fuzzing ratio
167is 0.004 (fuzz 0.4% of the files' bits).
168.TP
169\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
170Refuse a list of characters by not fuzzing bytes that would otherwise be
171changed to a character that is in \fIlist\fR. If the original byte is already
172in \fIlist\fR, it is left unchanged.
173
174See the \fB\-P\fR option for a description of \fIlist\fR.
175.TP
176\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
177.PD 0
178.TP
179\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
180.PD
181Specify the random seed to use for fuzzing, or an interval of random seeds.
182Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
183the same way, even with a different target application. The purpose of this is
184to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
185causes the target application to crash.
186
187If an interval is specified, \fBzzuf\fR will run the application several times,
188each time with a different seed, and report the behaviour of each run.
189.TP
190\fB\-S\fR, \fB\-\-signal\fR
191Prevent children from installing signal handlers for signals that usually
192cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
193\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
194platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
195\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
196simply crash. If you do not want core dumps, you should set appropriate limits
197with the \fBlimit coredumpsize\fR command. See your shell's documentation on
198how to set such limits.
199.TP
200\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
201Automatically terminate child processes that run for more than \fIn\fR
202seconds. This is useful to detect infinite loops or processes stuck in other
203situations. See also the \fB\-B\fR flag.
204.TP
205\fB\-x\fR, \fB\-\-check\-exit\fR
206Report processes that exit with a non-zero status. By default only processes
207that crash due to a signal are reported.
208.TP
209\fB\-h\fR, \fB\-\-help\fR
210Display a short help message and exit.
211.TP
212\fB\-v\fR, \fB\-\-version\fR
213Output version information and exit.
214.SH EXAMPLES
215.PP
216Fuzz the input of the \fBcat\fR program using default settings:
217.PP
218\fB    zzuf cat /etc/motd\fR
219.PP
220Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
221.PP
222\fB    zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR
223.PP
224Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
225and prevent non-ASCII characters from appearing in the output:
226.PP
227\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
228.PP
229Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
230original input and excluding \fB.xml\fR files from fuzzing (because
231\fBconvert\fR will also open its own XML configuration files and we do not
232want \fBzzuf\fR to fuzz them):
233.PP
234\fB    zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR
235.PP
236Fuzz the input of \fBVLC\fR, using file \fBmovie.avi\fR as the original input
237and restricting fuzzing to filenames that appear on the command line
238(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
239can be read by \fBVLC\fR to reproduce the same behaviour without using
240\fBzzuf\fR:
241.PP
242\fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
243\fB    zzuf \-c \-s 87423 \-r 0.01 <movie.avi >fuzzy\-movie.avi\fR
244\fB    vlc fuzzy\-movie.avi\fR
245.PP
246Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999
247(\fB\-s\ 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
248launching up to five simultaneous child processes (\fB\-F\ 5\fR) but wait at
249least half a second between launches (\fB\-D\ 0.5\fR), killing \fBMPlayer\fR
250if it takes more than one minute to read the file (\fB\-T\ 60\fR) and
251disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
252.PP
253\fB    zzuf \-c \-r 0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
254\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
255.SH RESTRICTIONS
256.PP
257Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
258\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
259processes, it will fail in the presence of any mechanism that disables
260preloading. For instance setuid root binaries will not be fuzzed when run
261as an unprivileged user.
262.PP
263For the same reasons, \fBzzuf\fR will also not work with statically linked
264binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
265where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
266.PP
267Though best efforts are made, identical behaviour for different versions of
268\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
269different operating systems and with different target programs is only
270guaranteed when the same version of \fBzzuf\fR is being used.
271.SH BUGS
272.PP
273\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
274.PP
275It is not yet possible to insert or drop bytes from the input, to fuzz
276according to the file format, to swap bytes, etc. More advanced fuzzing
277methods are planned.
278.PP
279As of now, \fBzzuf\fR does not really support multithreaded applications. The
280behaviour with multithreaded applications where more than one thread does file
281descriptor operations is undefined.
282.SH NOTES
283In order to intercept file and network operations, signal handlers and memory
284allocations, \fBzzuf\fR diverts and reimplements the following functions,
285which can be private libc symbols, too:
286.TP
287Unix file descriptor handling:
288\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBaccept\fR(), \fBsocket\fR(),
289\fBclose\fR()
290.TP
291Standard IO streams:
292\fBfopen\fR(), \fBfreopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(),
293\fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(),
294\fBfclose\fR()
295.TP
296Memory management:
297\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
298\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR()
299.TP
300Linux-specific:
301\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
302\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR()
303.TP
304BSD-specific:
305\fBfgetln\fR(), \fB__srefill\fR()
306.TP
307Mac OS X-specific:
308\fBmap_fd\fR()
309.TP
310Signal handling:
311\fBsignal\fR(), \fBsigaction\fR()
312.PP
313If an application manipulates file descriptors (reading data, seeking around)
314using functions that are not in that list, \fBzzuf\fR will not fuzz its
315input consistently and the results should not be trusted. You can use a tool
316such as \fBltrace(1)\fR on Linux to know the missing functions.
317.PP
318On BSD systems, such as FreeBSD or Mac OS X, \fB__srefill\fR() is enough to
319monitor all standard IO streams functions. On other systems, such as Linux,
320each function is reimplemented on a case by case basis. One important
321unimplemented function is \fBfscanf\fR(), because of its complexity. Missing
322functions will be added upon user request.
323.SH HISTORY
324.PP
325\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
326multimedia stream corrupter used to find bugs in the \fBVLC\fR media player.
327.SH AUTHOR
328.PP
329Copyright \(co 2002, 2007 Sam Hocevar <sam@zoy.org>.
330.PP
331\fBzzuf\fR and this manual page are free software. They come without any
332warranty, to the extent permitted by applicable law. You can redistribute
333them and/or modify them under the terms of the Do What The Fuck You Want
334To Public License, Version 2, as published by Sam Hocevar. See
335\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
336.PP
337\fBzzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.