source: zzuf/trunk/doc/zzuf.1 @ 1682

Last change on this file since 1682 was 1682, checked in by Sam Hocevar, 14 years ago
  • Suggest jot instead of seq in the examples.
File size: 14.8 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-AcdiMnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fIstart:stop\fR]
6.br
7                   [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
8.br
9                   [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
10.br
11                   [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-V\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
19file and network operations and changing random bits in the program's input.
20\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBzzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard error channel, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.PP
35When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
36if the \fBcat\fR utility had been called:
37.PP
38\fB    zzuf < /dev/zero\fR
39.SH OPTIONS
40.TP
41\fB\-A\fR, \fB\-\-autoinc\fR
42Increment random seed each time a new file is opened. This is only required
43if one instance of the application is expected to open the same file several
44times and you want to test a different seed each time.
45.TP
46\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
47Automatically terminate child processes that output more than \fIn\fR bytes
48on the standard output and standard error channels. This is useful to detect
49infinite loops. See also the \fB\-T\fR flag.
50.TP
51\fB\-c\fR, \fB\-\-cmdline\fR
52Only fuzz files whose name is specified in the target application's command
53line. This is mostly a shortcut to avoid specifying twice the argument:
54
55\fB    zzuf \-c cat file.txt\fR
56
57has the same effect as
58
59\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
60
61See the \fB\-I\fR flag for more information on restricting fuzzing to
62specific files.
63.TP
64\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
65Stop forking when at least \fIn\fR children have crashed. The default value
66is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
67is considered to have crashed if any signal (such as, but not limited to,
68\fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
69also include processes that exit with a non-zero status.
70
71This option is only relevant if the \fB\-s\fR flag is used with a range
72argument.
73.TP
74\fB\-d\fR, \fB\-\-debug\fR
75Activate the display of debug messages.
76.TP
77\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
78Do not launch more than one process every \fIdelay\fR seconds. This option
79should be used together with \fB\-F\fR to avoid fork bombs.
80.TP
81\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
82Do not fuzz files whose name matches the \fIregex\fR regular expression. This
83option supersedes anything that is specified by the \fB\-I\fR flag. Use this
84for instance if you are unsure of what files your application is going to read
85and do not want it to fuzz files in the \fB/etc\fR directory.
86
87Multiple \fB\-E\fR flags can be specified, in which case files matching any one
88of the regular expressions will be ignored.
89.TP
90\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
91Specify the number of simultaneous children that can be run.
92
93This option is only relevant if the \fB\-s\fR flag is used with a range
94argument. See also the \fB\-D\fR flag.
95.TP
96\fB\-i\fR, \fB\-\-stdin\fR
97Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
98.TP
99\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
100Only fuzz files whose name matches the \fIregex\fR regular expression. Use
101this for instance if your application reads configuration files at startup
102and you only want specific files to be fuzzed.
103
104Multiple \fB\-I\fR flags can be specified, in which case files matching any one
105of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
106.TP
107\fB\-m\fR, \fB\-\-md5\fR
108Instead of displaying the program's \fIstandard output\fR, just print its MD5
109digest to \fBzzuf\fR's standard output. The standard error channel is left
110untouched.
111.TP
112\fB\-M\fR, \fB\-\-max-memory\fR=\fImegabytes\fR
113Specify the maximum amount of memory, in megabytes, that children are allowed
114to allocate. This is useful to detect infinite loops that eat up a lot of
115memory. The value should set reasonably high so as not to interfer with normal
116program operation.
117
118\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
119relies on the operating system's ability to enforce such limitations.
120.TP
121\fB\-n\fR, \fB\-\-network\fR
122Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
123.TP
124\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
125Protect a list of characters so that if they appear in input data that would
126normally be fuzzed, they are left unmodified instead.
127
128Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
129The sequences interpreted by \fBzzuf\fR are:
130.RS
131.TP
132\fB\\n\fR
133new line
134.TP
135\fB\\r\fR
136return
137.TP
138\fB\\t\fR
139tabulation
140.TP
141\fB\\\fR\fINNN\fR
142the byte whose octal value is \fINNN\fR
143.TP
144\fB\\x\fR\fINN\fR
145the byte whose hexadecimal value is \fINN\fR
146.TP
147\fB\\\\\fR
148backslash (\(oq\\\(cq)
149.RE
150.IP
151You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
152bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq.
153
154The statistical outcome of this option should not be overlooked: if characters
155are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
156on the data being fuzzed. For instance, asking to fuzz 1% of input bits
157(\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
158result in an actual average fuzzing ratio of 0.9% with truly random data,
1590.3% with random ASCII data and 0.2% with standard English text.
160
161See also the \fB\-R\fR flag.
162.TP
163\fB\-q\fR, \fB\-\-quiet\fR
164Hide the output of the fuzzed application. This is useful if the application
165is very verbose but only its exit code or signaled status is really useful to
166you.
167.TP
168\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
169.PD 0
170.TP
171\fB\-r\fR, \fB\-\-ratio\fR=\fIstart:stop\fR
172.PD
173Specify the proportion of bits that will be randomly fuzzed. A value of 0
174will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
175bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
176the input files undiscernible from random data. The default fuzzing ratio
177is 0.004 (fuzz 0.4% of the files' bits).
178
179A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
180values from the interval. This is only meaningful if the argument given to
181the \fB\-s\fR flag is also a range.
182.TP
183\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
184Refuse a list of characters by not fuzzing bytes that would otherwise be
185changed to a character that is in \fIlist\fR. If the original byte is already
186in \fIlist\fR, it is left unchanged.
187
188See the \fB\-P\fR option for a description of \fIlist\fR.
189.TP
190\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
191.PD 0
192.TP
193\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
194.PD
195Specify the random seed to use for fuzzing, or a range of random seeds.
196Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
197the same way, even with a different target application. The purpose of this is
198to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
199causes the target application to crash.
200
201If a range is specified, \fBzzuf\fR will run the application several times,
202each time with a different seed, and report the behaviour of each run.
203.TP
204\fB\-S\fR, \fB\-\-signal\fR
205Prevent children from installing signal handlers for signals that usually
206cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
207\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
208platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
209\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
210simply crash. If you do not want core dumps, you should set appropriate limits
211with the \fBlimit coredumpsize\fR command. See your shell's documentation on
212how to set such limits.
213.TP
214\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
215Automatically terminate child processes that run for more than \fIn\fR
216seconds. This is useful to detect infinite loops or processes stuck in other
217situations. See also the \fB\-B\fR flag.
218.TP
219\fB\-v\fR, \fB\-\-verbose\fR
220Print information during the run, such as the current seed, what processes
221get run, their exit status, etc.
222.TP
223\fB\-x\fR, \fB\-\-check\-exit\fR
224Report processes that exit with a non-zero status. By default only processes
225that crash due to a signal are reported.
226.TP
227\fB\-h\fR, \fB\-\-help\fR
228Display a short help message and exit.
229.TP
230\fB\-V\fR, \fB\-\-version\fR
231Output version information and exit.
232.SH DIAGNOSTICS
233.PP
234Exit status is zero if no child process crashed. If one or several children
235crashed, \fBzzuf\fR exits with status 1.
236.SH EXAMPLES
237.PP
238Fuzz the input of the \fBcat\fR program using default settings:
239.PP
240\fB    zzuf cat /etc/motd\fR
241.PP
242Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
243.PP
244\fB    zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR
245.PP
246Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
247and prevent non-ASCII characters from appearing in the output:
248.PP
249\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
250.PP
251Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
252original input and excluding \fB.xml\fR files from fuzzing (because
253\fBconvert\fR will also open its own XML configuration files and we do not
254want \fBzzuf\fR to fuzz them):
255.PP
256\fB    zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR
257.PP
258Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
259and restricting fuzzing to filenames that appear on the command line
260(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
261can be read by VLC to reproduce the same behaviour without using
262\fBzzuf\fR:
263.PP
264\fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
265.br
266\fB    zzuf \-c \-s 87423 \-r 0.01 <movie.avi >fuzzy\-movie.avi\fR
267.br
268\fB    vlc fuzzy\-movie.avi\fR
269.PP
270Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r\ 0.001:0.02\fR)
271with seeds 0 to 9999 (\fB\-s\ 0:10000\fR), disabling its standard output
272messages (\fB\-q\fR), launching up to five simultaneous child processes
273(\fB\-F\ 5\fR) but wait at least half a second between launches
274(\fB\-D\ 0.5\fR), killing MPlayer if it takes more than one minute to
275read the file (\fB\-T\ 60\fR) and disabling its \fBSIGSEGV\fR signal handler
276(\fB\-S\fR):
277.PP
278\fB    zzuf \-c \-r 0.001:0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
279.br
280\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
281.PP
282Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
283and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
284.PP
285\fB    seq -f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
286.br
287      (or: \fBjot -w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
288.br
289\fB    zzuf -A -I \(aqhello[.]jpg\(aq -r 0.001 firefox hello.html\fR
290.SH RESTRICTIONS
291.PP
292Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
293\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
294processes, it will fail in the presence of any mechanism that disables
295preloading. For instance setuid root binaries will not be fuzzed when run
296as an unprivileged user.
297.PP
298For the same reasons, \fBzzuf\fR will also not work with statically linked
299binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
300where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
301.PP
302Though best efforts are made, identical behaviour for different versions of
303\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
304different operating systems and with different target programs is only
305guaranteed when the same version of \fBzzuf\fR is being used.
306.SH BUGS
307.PP
308\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
309.PP
310It is not yet possible to insert or drop bytes from the input, to fuzz
311according to the file format, to swap bytes, etc. More advanced fuzzing
312methods are planned.
313.PP
314As of now, \fBzzuf\fR does not really support multithreaded applications. The
315behaviour with multithreaded applications where more than one thread does file
316descriptor operations is undefined.
317.SH NOTES
318In order to intercept file and network operations, signal handlers and memory
319allocations, \fBzzuf\fR diverts and reimplements the following functions,
320which can be private libc symbols, too:
321.TP
322Unix file descriptor handling:
323\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBreadv\fR(), \fBpread\fR(),
324\fBaccept\fR(), \fBsocket\fR(), \fBclose\fR()
325.TP
326Standard IO streams:
327\fBfopen\fR(), \fBfreopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(),
328\fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(),
329\fBfclose\fR()
330.TP
331Memory management:
332\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
333\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR()
334.TP
335Linux-specific:
336\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
337\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR()
338.TP
339BSD-specific:
340\fBfgetln\fR(), \fB__srefill\fR()
341.TP
342Mac OS X-specific:
343\fBmap_fd\fR()
344.TP
345Signal handling:
346\fBsignal\fR(), \fBsigaction\fR()
347.PP
348If an application manipulates file descriptors (reading data, seeking around)
349using functions that are not in that list, \fBzzuf\fR will not fuzz its
350input consistently and the results should not be trusted. You can use a tool
351such as \fBltrace(1)\fR on Linux to know the missing functions.
352.PP
353On BSD systems, such as FreeBSD or Mac OS X, \fB__srefill\fR() is enough to
354monitor all standard IO streams functions. On other systems, such as Linux,
355each function is reimplemented on a case by case basis. One important
356unimplemented function is \fBfscanf\fR(), because of its complexity. Missing
357functions will be added upon user request.
358.SH HISTORY
359.PP
360\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
361multimedia stream corrupter used to find bugs in the VLC media player.
362.SH AUTHOR
363.PP
364Copyright \(co 2002, 2007 Sam Hocevar <sam@zoy.org>.
365.PP
366\fBzzuf\fR and this manual page are free software. They come without any
367warranty, to the extent permitted by applicable law. You can redistribute
368them and/or modify them under the terms of the Do What The Fuck You Want
369To Public License, Version 2, as published by Sam Hocevar. See
370\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
371.PP
372\fBzzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.