| Version 2 (modified by , 16 years ago) (diff) |
|---|
zzuf internals
This document is an attempt at explaining how zzuf works and how it can be extended to support more functions.
Architecture overview
The zzuf software consists in two parts:
- The
zzufexecutable - The
libzzufshared library
Here is the global workflow when zzuf fuzzes a process:
zzufreads options from the command line.zzufwrites fuzzing information to the environmentzuffpreloadslibzzufinto the called process and executes itlibzzufreads fuzzing information from the envronmentlibzzufdiverts standard function calls with its own ones- the called process runs normally, but any diverted call goes through
libzzuffirst
Writing function diversions
Diverted functions are declared using the NEW macro. The address of the original function is stored into a global function pointer using the ORIG macro. The LOADSYM macro takes care of retrieving its address and storing it into the pointer.
For instance, this is how the memalign function is declared in its libc header, malloc.h:
void *memalign(size_t boundary, size_t size);
And here is how memalign is diverted:
#include <malloc.h>
#include "libzzuf.h"
#include "lib-load.h"
/* ... */
#if defined HAVE_MEMALIGN
static void * (*ORIG(memalign)) (size_t boundary, size_t size);
#endif
/* ... */
#if defined HAVE_MEMALIGN
void *NEW(memalign)(size_t boundary, size_t size)
{
void *ret;
LOADSYM(memalign);
ret = ORIG(memalign)(boundary, size);
/* ... */
return ret;
}
#endif
Memory functions
Functions such as malloc need to be diverted by zzuf in order to monitor global memory usage and detect severe memory leaks.
This creates a bootstrapping problem on some platforms: the diverted calloc calls the real calloc, which needs to be loaded using dlsym. On Linux, dlsym calls calloc, resulting in an infinite loop. To avoid this, we declare a private static buffer that memory allocation functions can use if the original function is not yet loaded.
