- Timestamp:
- Jan 7, 2007, 4:55:24 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
zzuf/trunk/doc/zzuf.1
r1597 r1607 73 73 of the regular expressions will be ignored. 74 74 .TP 75 \fB\-F\fR, \fB\-\-max -forks\fR=\fIforks\fR75 \fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR 76 76 Specify the number of simultaneous children that can be run. 77 77 … … 120 120 .RE 121 121 .IP 122 You can use \(oq\fB -\fR\(cq to specify ranges. For instance, to protect all123 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001 -/\(dq\fR\(cq.122 You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all 123 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq. 124 124 125 125 The statistical outcome of this option should not be overlooked: if characters 126 126 are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending 127 127 on the data being fuzzed. For instance, asking to fuzz 1% of input bits 128 (\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a -z\fR) will128 (\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will 129 129 result in an actual average fuzzing ratio of 0.9% with truly random data, 130 130 0.3% with random ASCII data and 0.2% with standard English text. … … 193 193 Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324: 194 194 .PP 195 \fB zzuf -s 94324-r 0.01 cat /etc/motd\fR195 \fB zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR 196 196 .PP 197 197 Fuzz the input of the \fBcat\fR program but do not fuzz newline characters 198 198 and prevent non-ASCII characters from appearing in the output: 199 199 .PP 200 \fB zzuf -P \(aq\\n\(aq -R \(aq\\x00-\\x1f\\x7f-\\xff\(aq cat /etc/motd\fR200 \fB zzuf \-P \(aq\\n\(aq \-R \(aq\\x00\-\\x1f\\x7f\-\\xff\(aq cat /etc/motd\fR 201 201 .PP 202 202 Fuzz the input of the \fBconvert\fR program, using file \fBfoo.jpeg\fR as the … … 205 205 want \fBzzuf\fR to fuzz them): 206 206 .PP 207 \fB zzuf -E \(aq\\.xml$\(aq convert -- foo.jpeg-format tga /dev/null\fR207 \fB zzuf \-E \(aq\\.xml$\(aq convert \-\- foo.jpeg \-format tga /dev/null\fR 208 208 .PP 209 209 Fuzz the input of \fBVLC\fR, using file \fBmovie.avi\fR as the original input 210 210 and restricting fuzzing to filenames that appear on the command line 211 (\fB\-c\fR), then generate \fBfuzzy -movie.avi\fR which is a file that211 (\fB\-c\fR), then generate \fBfuzzy\-movie.avi\fR which is a file that 212 212 can be read by \fBVLC\fR to reproduce the same behaviour without using 213 213 \fBzzuf\fR: 214 214 .PP 215 \fB zzuf -c -s 87423-r 0.01 vlc movie.avi\fR216 \fB zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi\fR217 \fB vlc fuzzy -movie.avi\fR215 \fB zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR 216 \fB zzuf \-c \-s 87423 \-r 0.01 cp movie.avi fuzzy\-movie.avi\fR 217 \fB vlc fuzzy\-movie.avi\fR 218 218 .PP 219 219 Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999 … … 223 223 and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR): 224 224 .PP 225 \fB zzuf -c -r 0.02 -q -s 0:10000 -F 3 -T 60-S \\\fR226 \fB mplayer -- -benchmark -vo null-fps 1000 movie.avi\fR225 \fB zzuf \-c \-r 0.02 \-q \-s 0:10000 \-F 3 \-T 60 \-S \\\fR 226 \fB mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR 227 227 .SH RESTRICTIONS 228 228 .PP … … 247 247 methods are planned. 248 248 .PP 249 \fBZzuf\fR will not work properly with applications using \fBgetc\fR() on250 platforms where it is defined as a macro, such as OpenBSD and FreeBSD,251 because it is unable to intercept calls to \fBgetc\fR().252 .PP253 249 As of now, \fBzzuf\fR does not really support multithreaded applications. The 254 250 behaviour with multithreaded applications where more than one thread does file … … 256 252 .SH NOTES 257 253 In order to intercept file and network operations and signal handlers, 258 \fBzzuf\fR diverts and reimplements the following functions: 254 \fBzzuf\fR diverts and reimplements the following functions, which can 255 be private libc symbols, too: 259 256 .TP 260 257 Unix file descriptor handling: … … 271 268 .TP 272 269 BSD-specific: 273 \fBfgetln\fR() 270 \fBfgetln\fR(), \fB__srefill()\fR() 274 271 .TP 275 272 Signal handling: … … 281 278 such as \fBltrace(1)\fR on Linux to know the missing functions. 282 279 .PP 283 One important unimplemented function is \fBfscanf\fR(), because of its 284 complexity. Missing functions will be implemented based upon user request. 280 On some systems, such as FreeBSD, \fB__srefill\fR() is enough to monitor all 281 standard IO streams functions. On other systems each function needs to be 282 reimplemented on a case by case basis. One important unimplemented function 283 is \fBfscanf\fR(), because of its complexity. Missing functions will be 284 implemented based upon user request. 285 285 .SH HISTORY 286 286 .PP
Note: See TracChangeset
for help on using the changeset viewer.