{{{
#!html
<div style="text-align: center">
}}}
Prev: [wiki:zzuf/tutorial1 1. Basic zzuf usage] | Next: [wiki:zzuf zzuf home]
{{{
#!html
</div>
}}}

= 2. `zzuf` as a batch testing tool =

The most useful aspect of `zzuf` is its use as an automated tool, testing thousands of different fuzzing combinations and analysing the fuzzed application’s behaviour in each situation.

== 2.1. Debug mode ==

Consider this invocation of `zzuf` with the `file` utility:

{{{
% zzuf file /bin/ls
/etc/magic, 4: Warning: using regular magic file `/usr/share/file/magic'
/usr/share/file/magic, 33: Warning: Printf format `d' is not valid for type `string' in description `RISC OS outline font data,>5	byte		x	varsion %d'
/usr/share/file/magic, 47: Warning: type `stri?g	\x02\x01\x13\x13\x13\x01\x0d\x10	Digital Symphony sound sample (RISC OS),' invalid
[...]
}}}

This is not the expected behaviour at all. What happens exactly? The problem is that `file` also opens its own configuration files to gather information about file formats, and of course `zzuf` fuzzes these files, since no one told it that they were special.

We may run `zzuf` in '''debug mode''' to learn more about what happens, using the '''`-d` flag''':

{{{
% zzuf -d file /bin/ls
** zzuf debug ** libzzuf initialised for PID 29526
** zzuf debug ** fopen("/etc/magic", "r") = [3]
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = NULL
** zzuf debug ** fclose([3]) = 0
** zzuf debug ** open("/usr/share/file/magic.mgc", 0) = 3
** zzuf debug ** mmap(NULL, 1636608, 3, 2, 3, 0) = 0x2acce776e000 "\x1c\x04\x1c\xf1...
** zzuf debug ** close(3) = 0
** zzuf debug ** fopen("/usr/share/file/magic", "r") = [3]
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
[...]
}}}

We see that `file` opens at least `/etc/magic`, `/usr/share/file/magic.mgc` and `/usr/share/file/magic`. Since they are installed in trusted directories, it is useless to fuzz these files, unless of course we wish to test `file`’s robustness against corruption of these files.

== 2.2. Include and exclude patterns ==

One way to make `zzuf` ignore files is to '''exclude''' them, using the '''`-E` flag''' as many times as necessary. This flag specifies that files matching a given regular expression should not be fuzzed:

{{{
% zzuf -d -E /etc/ -E /usr/share/ file /bin/ls
** zzuf debug ** libzzuf initialised for PID 30541
** zzuf debug ** open("/bin/ls", 0) = 3
** zzuf debug ** read(3, 0x60a590, 98304) = 98304 "\x7fENF...
** zzuf debug ** close(3) = 0
/bin/ls: data
%
}}}

Another way to avoid the issue is to only '''include''' the files or directories we want to fuzz, using the '''`-I` flag''' as many times as necessary:

{{{
% zzuf -d -I /bin/ file /bin/ls
** zzuf debug ** libzzuf initialised for PID 30550
** zzuf debug ** open("/bin/ls", 0) = 3
** zzuf debug ** read(3, 0x606c20, 98304) = 98304 "\x7fENF...
** zzuf debug ** close(3) = 0
/bin/ls: data
%
}}}

Yet another way is to tell `zzuf` to only fuzz files that appear on the fuzzed application’s commandline, using the '''`-c` flag''':

{{{
% zzuf -d -c file /bin/ls
** zzuf debug ** libzzuf initialised for PID 30555
** zzuf debug ** open("/bin/ls", 0) = 3
** zzuf debug ** read(3, 0x608de0, 98304) = 98304 "\x7fENF...
** zzuf debug ** close(3) = 0
/bin/ls: data
%
}}}

We can now properly fuzz the `file` application.

== 2.3. Seed ranges ==

Instead of specifying a random seed with the `-s` flag, one can specify a whole range by separating values with a colon. `zzuf` will simply run the program several times, each time with another seed in the range:

{{{
% zzuf -c -s 0:5 file /bin/ls         
/bin/ls: data
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
/bin/ls: ELF 64-bit LSB executable, x86-64, (SYSV), statically linked (uses shared libs), stripped
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8388616, statically linked (uses shared libs), corrupted section header size
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped
%
}}}

As can be seen, the file analysed by `file` is slightly corrupted in a different way each time.

Using the '''`-v` flag''' for more verbosity helps understanding what is going on, especially with large seed ranges:

{{{
% zzuf -vc -s 0:5 file /bin/ls
zzuf[s=0,r=0.004]: launched `file'
/bin/ls: data
zzuf[s=1,r=0.004]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
zzuf[s=2,r=0.004]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, (SYSV), statically linked (uses shared libs), stripped
zzuf[s=3,r=0.004]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8388616, statically linked (uses shared libs), corrupted section header size
zzuf[s=4,r=0.004]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped
%
}}}

== 2.4. Ratio ranges ==

When a seed range is being used with `-s`, a ratio range can be used with `-r`. Instead of using the same bit fuzzing ratio for each seed, `zzuf` will pick one at random within the specified interval:

{{{
% zzuf -vc -s 0:5 -r 0.0001:0.01 file /bin/ls
zzuf[s=0,r=0.0001:0.01]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
zzuf[s=1,r=0.0001:0.01]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped
zzuf[s=2,r=0.0001:0.01]: launched `file'
/bin/ls: ERROR: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs)error reading
zzuf[s=3,r=0.0001:0.01]: launched `file'
/bin/ls: ERROR: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linkedCannot allocate memory for note (Cannot allocate memory)
zzuf[s=4,r=0.0001:0.01]: launched `file'
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
%
}}}

To generate a file that reproduces a given behaviour, the corresponding `-s` flag and the exact same `-r` flag need to be used:

{{{
% zzuf -s 4 -r 0.0001:0.01 < /bin/ls > output.file
% file output.file
output.file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
%
}}}

{{{
#!html
<div style="text-align: center">
}}}
Prev: [wiki:zzuf/tutorial1 1. Basic zzuf usage] | Next: [wiki:zzuf zzuf home]
{{{
#!html
</div>
}}}