Version 2 (modified by 15 years ago) (diff) | ,
---|
zzuf internals
This document is an attempt at explaining how zzuf works and how it can be extended to support more functions.
Architecture overview
The zzuf software consists in two parts:
- The
zzuf
executable - The
libzzuf
shared library
Here is the global workflow when zzuf fuzzes a process:
zzuf
reads options from the command line.zzuf
writes fuzzing information to the environmentzuff
preloadslibzzuf
into the called process and executes itlibzzuf
reads fuzzing information from the envronmentlibzzuf
diverts standard function calls with its own ones- the called process runs normally, but any diverted call goes through
libzzuf
first
Writing function diversions
Diverted functions are declared using the NEW
macro. The address of the original function is stored into a global function pointer using the ORIG
macro. The LOADSYM
macro takes care of retrieving its address and storing it into the pointer.
For instance, this is how the memalign
function is declared in its libc header, malloc.h
:
void *memalign(size_t boundary, size_t size);
And here is how memalign
is diverted:
#include <malloc.h> #include "libzzuf.h" #include "lib-load.h" /* ... */ #if defined HAVE_MEMALIGN static void * (*ORIG(memalign)) (size_t boundary, size_t size); #endif /* ... */ #if defined HAVE_MEMALIGN void *NEW(memalign)(size_t boundary, size_t size) { void *ret; LOADSYM(memalign); ret = ORIG(memalign)(boundary, size); /* ... */ return ret; } #endif
Memory functions
Functions such as malloc
need to be diverted by zzuf in order to monitor global memory usage and detect severe memory leaks.
This creates a bootstrapping problem on some platforms: the diverted calloc
calls the real calloc
, which needs to be loaded using dlsym
. On Linux, dlsym
calls calloc
, resulting in an infinite loop. To avoid this, we declare a private static buffer that memory allocation functions can use if the original function is not yet loaded.