source: zzuf/trunk/doc/zzuf.1 @ 1740

Last change on this file since 1740 was 1740, checked in by Sam Hocevar, 13 years ago
  • Handle architectures that don't have RLIMIT_AS (like OpenBSD).
File size: 16.1 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
6.br
7       [\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
8.br
9       [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
10.br
11       [\fB\-b\fR \fIranges\fR] [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
12.br
13\fBzzuf \-h\fR | \fB\-\-help\fR
14.br
15\fBzzuf \-V\fR | \fB\-\-version\fR
16.SH DESCRIPTION
17.PP
18\fBzzuf\fR is a transparent application input fuzzer. It works by intercepting
19file and network operations and changing random bits in the program's input.
20\fBzzuf\fR's behaviour is deterministic, making it easy to reproduce bugs.
21.SH USAGE
22.PP
23\fBzzuf\fR will run an application specified on its command line, one or
24several times, with optional arguments, and will report the application's
25relevant behaviour on the standard error channel, eg:
26.PP
27\fB    zzuf cat /dev/zero\fR
28.PP
29If you want to specify flags for your application, put a \(oq\fB\-\-\fR\(cq
30marker before them on the command line (otherwise \fBzzuf\fR will try to
31interpret them as arguments for itself), eg:
32.PP
33\fB    zzuf \-B 1000 cat \-\- \-v /dev/zero\fR
34.PP
35When no program is specified, \fBzzuf\fR simply fuzzes the standard input, as
36if the \fBcat\fR utility had been called:
37.PP
38\fB    zzuf < /dev/zero\fR
39.SH OPTIONS
40.TP
41\fB\-A\fR, \fB\-\-autoinc\fR
42Increment random seed each time a new file is opened. This is only required
43if one instance of the application is expected to open the same file several
44times and you want to test a different seed each time.
45.TP
46\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
47Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
48
49Range values start at zero and are inclusive. Use dashes between range values
50and commas between ranges. If the right-hand part of a range is ommited, it
51means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
52all bytes after offset 31, use \(oq\fB\-r0,3-5,31-\fR\(cq.
53
54This option is useful to preserve file headers or corrupt only a specific
55portion of a file.
56.TP
57\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
58Automatically terminate child processes that output more than \fIn\fR bytes
59on the standard output and standard error channels. This is useful to detect
60infinite loops. See also the \fB\-T\fR flag.
61.TP
62\fB\-c\fR, \fB\-\-cmdline\fR
63Only fuzz files whose name is specified in the target application's command
64line. This is mostly a shortcut to avoid specifying twice the argument:
65
66\fB    zzuf \-c cat file.txt\fR
67
68has the same effect as
69
70\fB    zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR
71
72See the \fB\-I\fR flag for more information on restricting fuzzing to
73specific files.
74.TP
75\fB\-C\fR, \fB\-\-max\-crashes\fR=\fIn\fR
76Stop forking when at least \fIn\fR children have crashed. The default value
77is 1, meaning \fBzzuf\fR will stop as soon as one child has crashed. A process
78is considered to have crashed if any signal (such as, but not limited to,
79\fBSIGSEGV\fR) caused it to exit. If the \fB\-x\fR flag is used, this will
80also include processes that exit with a non-zero status.
81
82This option is only relevant if the \fB\-s\fR flag is used with a range
83argument.
84.TP
85\fB\-d\fR, \fB\-\-debug\fR
86Activate the display of debug messages.
87.TP
88\fB\-D\fR, \fB\-\-delay\fR=\fIdelay\fR
89Do not launch more than one process every \fIdelay\fR seconds. This option
90should be used together with \fB\-F\fR to avoid fork bombs.
91.TP
92\fB\-E\fR, \fB\-\-exclude\fR=\fIregex\fR
93Do not fuzz files whose name matches the \fIregex\fR regular expression. This
94option supersedes anything that is specified by the \fB\-I\fR flag. Use this
95for instance if you are unsure of what files your application is going to read
96and do not want it to fuzz files in the \fB/etc\fR directory.
97
98Multiple \fB\-E\fR flags can be specified, in which case files matching any one
99of the regular expressions will be ignored.
100.TP
101\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
102Select how the input is fuzzed. Valid values for \fImode\fR are:
103.RS
104.TP
105\fBxor\fR
106randomly set and unset bits
107.TP
108\fBset\fR
109only set bits
110.TP
111\fBunset\fR
112only unset bits
113.RE
114.IP
115The default value for \fImode\fR is \fBxor\fR.
116.TP
117\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
118Specify the number of simultaneous children that can be run.
119
120This option is only relevant if the \fB\-s\fR flag is used with a range
121argument. See also the \fB\-D\fR flag.
122.TP
123\fB\-i\fR, \fB\-\-stdin\fR
124Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
125.TP
126\fB\-I\fR, \fB\-\-include\fR=\fIregex\fR
127Only fuzz files whose name matches the \fIregex\fR regular expression. Use
128this for instance if your application reads configuration files at startup
129and you only want specific files to be fuzzed.
130
131Multiple \fB\-I\fR flags can be specified, in which case files matching any one
132of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
133.TP
134\fB\-m\fR, \fB\-\-md5\fR
135Instead of displaying the program's \fIstandard output\fR, just print its MD5
136digest to \fBzzuf\fR's standard output. The standard error channel is left
137untouched.
138.TP
139\fB\-M\fR, \fB\-\-max-memory\fR=\fImegabytes\fR
140Specify the maximum amount of memory, in megabytes, that children are allowed
141to allocate. This is useful to detect infinite loops that eat up a lot of
142memory. The value should set reasonably high so as not to interfer with normal
143program operation.
144
145\fBzzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
146relies on the operating system's ability to enforce such limitations. This
147option is not available on the OpenBSD system.
148.TP
149\fB\-n\fR, \fB\-\-network\fR
150Fuzz the application's network input. By default \fBzzuf\fR only fuzzes files.
151.TP
152\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
153Protect a list of characters so that if they appear in input data that would
154normally be fuzzed, they are left unmodified instead.
155
156Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
157The sequences interpreted by \fBzzuf\fR are:
158.RS
159.TP
160\fB\\n\fR
161new line
162.TP
163\fB\\r\fR
164return
165.TP
166\fB\\t\fR
167tabulation
168.TP
169\fB\\\fR\fINNN\fR
170the byte whose octal value is \fINNN\fR
171.TP
172\fB\\x\fR\fINN\fR
173the byte whose hexadecimal value is \fINN\fR
174.TP
175\fB\\\\\fR
176backslash (\(oq\\\(cq)
177.RE
178.IP
179You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
180bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
181
182The statistical outcome of this option should not be overlooked: if characters
183are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
184on the data being fuzzed. For instance, asking to fuzz 1% of input bits
185(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
186result in an actual average fuzzing ratio of 0.9% with truly random data,
1870.3% with random ASCII data and 0.2% with standard English text.
188
189See also the \fB\-R\fR flag.
190.TP
191\fB\-q\fR, \fB\-\-quiet\fR
192Hide the output of the fuzzed application. This is useful if the application
193is very verbose but only its exit code or signaled status is really useful to
194you.
195.TP
196\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
197.PD 0
198.TP
199\fB\-r\fR, \fB\-\-ratio\fR=\fImin:max\fR
200.PD
201Specify the proportion of bits that will be randomly fuzzed. A value of 0
202will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
203bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
204the input files undiscernible from random data. The default fuzzing ratio
205is 0.004 (fuzz 0.4% of the files' bits).
206
207A range can also be specified. When doing so, \fBzzuf\fR will pick ratio
208values from the interval. The choice is deterministic and only depends on
209the interval bounds and the current seed.
210.TP
211\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
212Refuse a list of characters by not fuzzing bytes that would otherwise be
213changed to a character that is in \fIlist\fR. If the original byte is already
214in \fIlist\fR, it is left unchanged.
215
216See the \fB\-P\fR option for a description of \fIlist\fR.
217.TP
218\fB\-s\fR, \fB\-\-seed\fR=\fIseed\fR
219.PD 0
220.TP
221\fB\-s\fR, \fB\-\-seed\fR=\fIstart:stop\fR
222.PD
223Specify the random seed to use for fuzzing, or a range of random seeds.
224Running \fBzzuf\fR twice with the same random seed will fuzz the files exactly
225the same way, even with a different target application. The purpose of this is
226to use simple utilities such as \fBcat\fR or \fBcp\fR to generate a file that
227causes the target application to crash.
228
229If a range is specified, \fBzzuf\fR will run the application several times,
230each time with a different seed, and report the behaviour of each run.
231.TP
232\fB\-S\fR, \fB\-\-signal\fR
233Prevent children from installing signal handlers for signals that usually
234cause coredumps. These signals are \fBSIGABRT\fR, \fBSIGFPE\fR, \fBSIGILL\fR,
235\fBSIGQUIT\fR, \fBSIGSEGV\fR, \fBSIGTRAP\fR and, if available on the running
236platform, \fBSIGSYS\fR, \fBSIGEMT\fR, \fBSIGBUS\fR, \fBSIGXCPU\fR and
237\fBSIGXFSZ\fR. Instead of calling the signal handler, the application will
238simply crash. If you do not want core dumps, you should set appropriate limits
239with the \fBlimit coredumpsize\fR command. See your shell's documentation on
240how to set such limits.
241.TP
242\fB\-T\fR, \fB\-\-max\-time\fR=\fIn\fR
243Automatically terminate child processes that run for more than \fIn\fR
244seconds. This is useful to detect infinite loops or processes stuck in other
245situations. See also the \fB\-B\fR flag.
246.TP
247\fB\-v\fR, \fB\-\-verbose\fR
248Print information during the run, such as the current seed, what processes
249get run, their exit status, etc.
250.TP
251\fB\-x\fR, \fB\-\-check\-exit\fR
252Report processes that exit with a non-zero status. By default only processes
253that crash due to a signal are reported.
254.TP
255\fB\-h\fR, \fB\-\-help\fR
256Display a short help message and exit.
257.TP
258\fB\-V\fR, \fB\-\-version\fR
259Output version information and exit.
260.SH DIAGNOSTICS
261.PP
262Exit status is zero if no child process crashed. If one or several children
263crashed, \fBzzuf\fR exits with status 1.
264.SH EXAMPLES
265.PP
266Fuzz the input of the \fBcat\fR program using default settings:
267.PP
268\fB    zzuf cat /etc/motd\fR
269.PP
270Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
271.PP
272\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
273.PP
274Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
275and prevent non-ASCII characters from appearing in the output:
276.PP
277\fB    zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR
278.PP
279Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the
280original input and excluding \fB.xml\fR files from fuzzing (because
281\fBconvert\fR will also open its own XML configuration files and we do not
282want \fBzzuf\fR to fuzz them):
283.PP
284\fB    zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR
285.PP
286Fuzz the input of VLC, using file \fBmovie.avi\fR as the original input
287and restricting fuzzing to filenames that appear on the command line
288(\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that
289can be read by VLC to reproduce the same behaviour without using
290\fBzzuf\fR:
291.PP
292\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
293.br
294\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
295.br
296\fB    vlc fuzzy\-movie.avi\fR
297.PP
298Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
299with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
300by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
301standard output messages (\fB\-q\fR), launching up to five simultaneous child
302processes (\fB\-F5\fR) but waiting at least half a second between launches
303(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
304read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
305(\fB\-S\fR):
306.PP
307\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-F5 \-D0.5 \-T60 \-S \\\fR
308.br
309\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
310.PP
311Create an HTML-like file that loads 200 times the same \fBhello.jpg\fR image
312and open it in Firefox\(tm in auto-increment mode (\fB\-A\fR):
313.PP
314\fB    seq -f \(aq<img src="hello.jpg#%g">\(aq 1 200 > hello.html\fR
315.br
316      (or: \fBjot -w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
317.br
318\fB    zzuf -A -I \(aqhello[.]jpg\(aq -r0.001 firefox hello.html\fR
319.PP
320Run a simple HTTP redirector on the local host using \fBsocat\fR and
321corrupt each network connection (\fB\-n\fR) in a different way (\fB\-A\fR)
322after one megabyte of data was received on it (\fB\-b1000000\-\fR):
323.PP
324\fB     zzuf \-n \-A \-b1000000\- \\\fR
325\fB       socat TCP4-LISTEN:8080,reuseaddr,fork TCP4:192.168.1.42:80\fR
326.SH RESTRICTIONS
327.PP
328Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
329\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
330processes, it will fail in the presence of any mechanism that disables
331preloading. For instance setuid root binaries will not be fuzzed when run
332as an unprivileged user.
333.PP
334For the same reasons, \fBzzuf\fR will also not work with statically linked
335binaries. Bear this in mind when using \fBzzuf\fR on the OpenBSD platform,
336where \fBcat\fR, \fBcp\fR and \fBdd\fR are static binaries.
337.PP
338Though best efforts are made, identical behaviour for different versions of
339\fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on
340different operating systems and with different target programs is only
341guaranteed when the same version of \fBzzuf\fR is being used.
342.SH BUGS
343.PP
344\fBzzuf\fR probably does not behave correctly with 64-bit offsets.
345.PP
346It is not yet possible to insert or drop bytes from the input, to fuzz
347according to the file format, to swap bytes, etc. More advanced fuzzing
348methods are planned.
349.PP
350As of now, \fBzzuf\fR does not really support multithreaded applications. The
351behaviour with multithreaded applications where more than one thread does file
352descriptor operations is undefined.
353.SH NOTES
354In order to intercept file and network operations, signal handlers and memory
355allocations, \fBzzuf\fR diverts and reimplements the following functions,
356which can be private libc symbols, too:
357.TP
358Unix file descriptor handling:
359\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBreadv\fR(), \fBpread\fR(),
360\fBaccept\fR(), \fBsocket\fR(), \fBrecv\fR(), \fBrecvfrom\fR(), \fBrecvmsg\fR(),
361\fBaio_read\fR(), \fBaio_return\fR(), \fBclose\fR()
362.TP
363Standard IO streams:
364\fBfopen\fR(), \fBfreopen\fR(), \fBfseek\fR(), \fBfseeko\fR(), \fBrewind\fR(),
365\fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(),
366\fBfclose\fR()
367.TP
368Memory management:
369\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
370\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR()
371.TP
372Linux-specific:
373\fBopen64\fR(), \fBlseek64\fR(), \fBmmap64\fR(), \fB_IO_getc\fR(),
374\fBgetline\fR(), \fBgetdelim\fR(), \fB__getdelim\fR()
375.TP
376BSD-specific:
377\fBfgetln\fR(), \fB__srefill\fR()
378.TP
379Mac OS X-specific:
380\fBmap_fd\fR()
381.TP
382Signal handling:
383\fBsignal\fR(), \fBsigaction\fR()
384.PP
385If an application manipulates file descriptors (reading data, seeking around)
386using functions that are not in that list, \fBzzuf\fR will not fuzz its
387input consistently and the results should not be trusted. You can use a tool
388such as \fBltrace(1)\fR on Linux to know the missing functions.
389.PP
390On BSD systems, such as FreeBSD or Mac OS X, \fB__srefill\fR() is enough to
391monitor all standard IO streams functions. On other systems, such as Linux,
392each function is reimplemented on a case by case basis. One important
393unimplemented function is \fBfscanf\fR(), because of its complexity. Missing
394functions will be added upon user request.
395.SH HISTORY
396.PP
397\fBzzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small
398multimedia stream corrupter used to find bugs in the VLC media player.
399.SH AUTHOR
400.PP
401Copyright \(co 2002, 2007 Sam Hocevar <sam@zoy.org>.
402.PP
403\fBzzuf\fR and this manual page are free software. They come without any
404warranty, to the extent permitted by applicable law. You can redistribute
405them and/or modify them under the terms of the Do What The Fuck You Want
406To Public License, Version 2, as published by Sam Hocevar. See
407\fBhttp://sam.zoy.org/wtfpl/COPYING\fR for more details.
408.PP
409\fBzzuf\fR's webpage can be found at \fBhttp://sam.zoy.org/zzuf/\fR.
Note: See TracBrowser for help on using the repository browser.