Changes between Version 2 and Version 3 of zzuf/tutorial


Ignore:
Timestamp:
05/18/2008 02:36:02 AM (17 years ago)
Author:
Sam Hocevar
Comment:

debug mode

Legend:

Unmodified
Added
Removed
Modified

  • zzuf/tutorial

    v2 v3  
    138138}}}
    139139
    140 `zzuf` can be used to create files:
     140`zzuf` can be used to create files. Again, the behaviour is entirely reproducible:
    141141
    142142{{{
     
    152152}}}
    153153
    154 This may be useful if a given application is not supported by `zzuf`, but it is especially useful to generate files that reproduce `zzuf`’s behaviour without requiring `zzuf`.
    155 
     154This may be used if a given application is not supported by `zzuf`, but it is especially useful to generate files that reproduce `zzuf`’s behaviour without requiring `zzuf` at all.
     155
     156= `zzuf` as a batch testing tool =
     157
     158The most useful aspect of `zzuf` is its use as an automated tool, testing thousands of different fuzzing combinations and analysing the fuzzed application’s behaviour in each situation.
     159
     160== Debug mode ==
     161
     162Consider this invocation of `zzuf` with the `file` utility:
     163
     164{{{
     165% zzuf file /bin/ls
     166/etc/magic, 4: Warning: using regular magic file `/usr/share/file/magic'
     167/usr/share/file/magic, 33: Warning: Printf format `d' is not valid for type `string' in description `RISC OS outline font data,>5      byte            x       varsion %d'
     168/usr/share/file/magic, 47: Warning: type `stri?g        \x02\x01\x13\x13\x13\x01\x0d\x10        Digital Symphony sound sample (RISC OS),' invalid
     169[...]
     170}}}
     171
     172This is not the expected behaviour at all. What happens exactly? The problem is that `file` also opens its own configuration files to gather information about file formats, and of course `zzuf` fuzzes these files, since no one told it that they were special.
     173
     174We may use the '''debug mode''' to learn more about what happens, using the '''`-d` flag''':
     175
     176{{{
     177% zzuf -d file /bin/ls
     178** zzuf debug ** libzzuf initialised for PID 29526
     179** zzuf debug ** fopen("/etc/magic", "r") = [3]
     180** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     181** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     182** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     183** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = NULL
     184** zzuf debug ** fclose([3]) = 0
     185** zzuf debug ** open("/usr/share/file/magic.mgc", 0) = 3
     186** zzuf debug ** mmap(NULL, 1636608, 3, 2, 3, 0) = 0x2acce776e000 "\x1c\x04\x1c\xf1...
     187** zzuf debug ** close(3) = 0
     188** zzuf debug ** fopen("/usr/share/file/magic", "r") = [3]
     189** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     190** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     191** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0
     192[...]
     193}}}
     194
     195We see that `file` opens at least `/etc/magic`, `/usr/share/file/magic.mgc` and `/usr/share/file/magic`. Since they are installed in trusted directories, it is useless to fuzz these files, unless of course we wish to test `file`’s robustness against corruption of these files.
     196
     197One way to ignore these files is to '''exclude''' them, using the '''`-E` flag'''. This flag specifies that files matching a given regular expression should not be fuzzed:
     198
     199{{{
     200% zzuf -d -E /etc/ -E /usr/share/ file /bin/ls
     201** zzuf debug ** libzzuf initialised for PID 30541
     202** zzuf debug ** open("/bin/ls", 0) = 3
     203** zzuf debug ** read(3, 0x60a590, 98304) = 98304 "\x7fENF...
     204** zzuf debug ** close(3) = 0
     205/bin/ls: data
     206%
     207}}}
     208
     209Another way to avoid the issue is to only '''include''' the file or directories we want to fuzz, using the '''`-I` flag''':
     210
     211{{{
     212% zzuf -d -I /bin/ file /bin/ls
     213** zzuf debug ** libzzuf initialised for PID 30550
     214** zzuf debug ** open("/bin/ls", 0) = 3
     215** zzuf debug ** read(3, 0x606c20, 98304) = 98304 "\x7fENF...
     216** zzuf debug ** close(3) = 0
     217/bin/ls: data
     218%
     219}}}
     220
     221Yet another way is to tell `zzuf` to only fuzz files that appear on the fuzzed application’s '''commandline''', using the '''`-c` flag''':
     222
     223{{{
     224% zzuf -d -c file /bin/ls
     225** zzuf debug ** libzzuf initialised for PID 30555
     226** zzuf debug ** open("/bin/ls", 0) = 3
     227** zzuf debug ** read(3, 0x608de0, 98304) = 98304 "\x7fENF...
     228** zzuf debug ** close(3) = 0
     229/bin/ls: data
     230%
     231}}}
     232
     233We can now properly fuzz the `file` application.