Changes between Version 2 and Version 3 of zzuf/tutorial


Ignore:
Timestamp:
05/18/08 02:36:02 (5 years ago)
Author:
sam
Comment:

debug mode

Legend:

Unmodified
Added
Removed
Modified

  • zzuf/tutorial

    v2 v3  
    138138}}} 
    139139 
    140 `zzuf` can be used to create files: 
     140`zzuf` can be used to create files. Again, the behaviour is entirely reproducible: 
    141141 
    142142{{{ 
     
    152152}}} 
    153153 
    154 This may be useful if a given application is not supported by `zzuf`, but it is especially useful to generate files that reproduce `zzuf`’s behaviour without requiring `zzuf`. 
    155  
     154This may be used if a given application is not supported by `zzuf`, but it is especially useful to generate files that reproduce `zzuf`’s behaviour without requiring `zzuf` at all. 
     155 
     156= `zzuf` as a batch testing tool = 
     157 
     158The most useful aspect of `zzuf` is its use as an automated tool, testing thousands of different fuzzing combinations and analysing the fuzzed application’s behaviour in each situation. 
     159 
     160== Debug mode == 
     161 
     162Consider this invocation of `zzuf` with the `file` utility: 
     163 
     164{{{ 
     165% zzuf file /bin/ls 
     166/etc/magic, 4: Warning: using regular magic file `/usr/share/file/magic' 
     167/usr/share/file/magic, 33: Warning: Printf format `d' is not valid for type `string' in description `RISC OS outline font data,>5      byte            x       varsion %d' 
     168/usr/share/file/magic, 47: Warning: type `stri?g        \x02\x01\x13\x13\x13\x01\x0d\x10        Digital Symphony sound sample (RISC OS),' invalid 
     169[...] 
     170}}} 
     171 
     172This is not the expected behaviour at all. What happens exactly? The problem is that `file` also opens its own configuration files to gather information about file formats, and of course `zzuf` fuzzes these files, since no one told it that they were special. 
     173 
     174We may use the '''debug mode''' to learn more about what happens, using the '''`-d` flag''': 
     175 
     176{{{ 
     177% zzuf -d file /bin/ls 
     178** zzuf debug ** libzzuf initialised for PID 29526 
     179** zzuf debug ** fopen("/etc/magic", "r") = [3] 
     180** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     181** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     182** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     183** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = NULL 
     184** zzuf debug ** fclose([3]) = 0 
     185** zzuf debug ** open("/usr/share/file/magic.mgc", 0) = 3 
     186** zzuf debug ** mmap(NULL, 1636608, 3, 2, 3, 0) = 0x2acce776e000 "\x1c\x04\x1c\xf1... 
     187** zzuf debug ** close(3) = 0 
     188** zzuf debug ** fopen("/usr/share/file/magic", "r") = [3] 
     189** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     190** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     191** zzuf debug ** fgets(0x7fffc46e04b0, 8192, [3]) = 0x7fffc46e04b0 
     192[...] 
     193}}} 
     194 
     195We see that `file` opens at least `/etc/magic`, `/usr/share/file/magic.mgc` and `/usr/share/file/magic`. Since they are installed in trusted directories, it is useless to fuzz these files, unless of course we wish to test `file`’s robustness against corruption of these files. 
     196 
     197One way to ignore these files is to '''exclude''' them, using the '''`-E` flag'''. This flag specifies that files matching a given regular expression should not be fuzzed: 
     198 
     199{{{ 
     200% zzuf -d -E /etc/ -E /usr/share/ file /bin/ls 
     201** zzuf debug ** libzzuf initialised for PID 30541 
     202** zzuf debug ** open("/bin/ls", 0) = 3 
     203** zzuf debug ** read(3, 0x60a590, 98304) = 98304 "\x7fENF... 
     204** zzuf debug ** close(3) = 0 
     205/bin/ls: data 
     206% 
     207}}} 
     208 
     209Another way to avoid the issue is to only '''include''' the file or directories we want to fuzz, using the '''`-I` flag''': 
     210 
     211{{{ 
     212% zzuf -d -I /bin/ file /bin/ls 
     213** zzuf debug ** libzzuf initialised for PID 30550 
     214** zzuf debug ** open("/bin/ls", 0) = 3 
     215** zzuf debug ** read(3, 0x606c20, 98304) = 98304 "\x7fENF... 
     216** zzuf debug ** close(3) = 0 
     217/bin/ls: data 
     218% 
     219}}} 
     220 
     221Yet another way is to tell `zzuf` to only fuzz files that appear on the fuzzed application’s '''commandline''', using the '''`-c` flag''': 
     222 
     223{{{ 
     224% zzuf -d -c file /bin/ls 
     225** zzuf debug ** libzzuf initialised for PID 30555 
     226** zzuf debug ** open("/bin/ls", 0) = 3 
     227** zzuf debug ** read(3, 0x608de0, 98304) = 98304 "\x7fENF... 
     228** zzuf debug ** close(3) = 0 
     229/bin/ls: data 
     230% 
     231}}} 
     232 
     233We can now properly fuzz the `file` application.