Changes between Version 3 and Version 4 of zzuf/tutorial
- Timestamp:
- 05/18/2008 05:54:33 AM (17 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
zzuf/tutorial
v3 v4 3 3 Warning: this tutorial requires `zzuf` version 0.11 or later. 4 4 5 = Basic `zzuf` usage =5 = 1. Basic `zzuf` usage = 6 6 7 7 `zzuf`’s behaviour is configured through the command line. A comprehensive list of flags and their meaning is given in the `zzuf` manual page. Just run '''`man zzuf`''' on your system to see it. 8 8 9 == Launching `zzuf` ==9 == 1.1. Launching `zzuf` == 10 10 11 11 Let’s start with a simple command that reads data from a file. We choose `hd`, the hexadecimal dump command, so that we get a chance to observe what exactly happens to the data. 12 12 13 Wetell `hd` to read 32 bytes from `/dev/zero`:13 This is how to tell `hd` to read 32 bytes from `/dev/zero`: 14 14 15 15 {{{ … … 31 31 }}} 32 32 33 We see that two `00` values have been changed to `02`s. `zzuf` '''intercepted''' `hd`'s opening of `/dev/zero` and automatically '''corrupted''' the b ytes it read at random. Let’s do it again:33 We see that two `00` values have been changed to `02`s. `zzuf` '''intercepted''' `hd`'s opening of `/dev/zero` and automatically '''corrupted''' the bits it read at random. Let’s do it again: 34 34 35 35 {{{ … … 43 43 We get exactly the same output. This is a very important property of `zzuf`: its behaviour is '''reproducible'''. 44 44 45 == Invoking different programs ==45 == 1.2. Invoking different programs == 46 46 47 47 Let’s fuzz the `cat` utility instead of `hd`, but read the final output with `hd` nonetheless: … … 68 68 This is another very important property of `zzuf`: '''data is fuzzed the same way regardless of the fuzzed application'''. 69 69 70 == The fuzzing ratio ==70 == 1.3. The fuzzing ratio == 71 71 72 72 The '''fuzzing ratio''' is the proportion of bits that `zzuf` changes. It is specified with the '''`-r` flag'''. The default fuzzing ratio is 0.004, meaning "fuzz 0.4% of the bits". 32 bytes is 256 bits, and 0.4% of 256 bits is approximately 1. `zzuf` should have fuzzed 1 bit, but since it fuzzes bits at random, 2 bits is not surprising. … … 106 106 }}} 107 107 108 == The random seed ==108 == 1.4. The random seed == 109 109 110 110 `zzuf`’s behaviour is reproducible, but we might not be satisfied with the output. Or we may simply want to fuzz in several different ways, but still using the same fuzzing ratio. This is done by changing the '''random seed''' with the '''`-s` flag'''. The random seed is the initial value of `zzuf`’s random number generator. The default seed is 0, so let’s try with other values: … … 124 124 As can be seen, each seed value initiates a different behaviour of the random number generator. 125 125 126 == Creating fuzzed files ==126 == 1.5. Creating fuzzed files == 127 127 128 128 It is possible to fuzz files directly, without calling applications at all. … … 154 154 This may be used if a given application is not supported by `zzuf`, but it is especially useful to generate files that reproduce `zzuf`’s behaviour without requiring `zzuf` at all. 155 155 156 = `zzuf` as a batch testing tool =156 = 2. `zzuf` as a batch testing tool = 157 157 158 158 The most useful aspect of `zzuf` is its use as an automated tool, testing thousands of different fuzzing combinations and analysing the fuzzed application’s behaviour in each situation. 159 159 160 == Debug mode ==160 == 2.1. Debug mode == 161 161 162 162 Consider this invocation of `zzuf` with the `file` utility: … … 195 195 We see that `file` opens at least `/etc/magic`, `/usr/share/file/magic.mgc` and `/usr/share/file/magic`. Since they are installed in trusted directories, it is useless to fuzz these files, unless of course we wish to test `file`’s robustness against corruption of these files. 196 196 197 One way to ignore these files is to '''exclude''' them, using the '''`-E` flag'''. This flag specifies that files matching a given regular expression should not be fuzzed: 197 == 2.2. Include and exclude patterns == 198 199 One way to make `zzuf` ignore files is to '''exclude''' them, using the '''`-E` flag''' as many times as necessary. This flag specifies that files matching a given regular expression should not be fuzzed: 198 200 199 201 {{{ … … 207 209 }}} 208 210 209 Another way to avoid the issue is to only '''include''' the file or directories we want to fuzz, using the '''`-I` flag''':211 Another way to avoid the issue is to only '''include''' the files or directories we want to fuzz, using the '''`-I` flag''' as many times as necessary: 210 212 211 213 {{{ … … 219 221 }}} 220 222 221 Yet another way is to tell `zzuf` to only fuzz files that appear on the fuzzed application’s '''commandline''', using the '''`-c` flag''':223 Yet another way is to tell `zzuf` to only fuzz files that appear on the fuzzed application’s commandline, using the '''`-c` flag''': 222 224 223 225 {{{ … … 232 234 233 235 We can now properly fuzz the `file` application. 236 237 == 2.3. Seed ranges == 238 239 Instead of specifying a random seed with the `-s` flag, one can specify a whole range by separating values with a colon. `zzuf` will simply run the program several times, each time with another seed in the range: 240 241 {{{ 242 % zzuf -c -s 0:5 file /bin/ls 243 /bin/ls: data 244 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped 245 /bin/ls: ELF 64-bit LSB executable, x86-64, (SYSV), statically linked (uses shared libs), stripped 246 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8388616, statically linked (uses shared libs), corrupted section header size 247 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped 248 % 249 }}} 250 251 As can be seen, the file analysed by `file` is slightly corrupted in a different way each time. 252 253 Using the '''`-v` flag''' for more verbosity helps understanding what is going on, especially with large seed ranges: 254 255 {{{ 256 % zzuf -vc -s 0:5 file /bin/ls 257 zzuf[s=0,r=0.004]: launched file 258 /bin/ls: data 259 zzuf[s=1,r=0.004]: launched file 260 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped 261 zzuf[s=2,r=0.004]: launched file 262 /bin/ls: ELF 64-bit LSB executable, x86-64, (SYSV), statically linked (uses shared libs), stripped 263 zzuf[s=3,r=0.004]: launched file 264 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8388616, statically linked (uses shared libs), corrupted section header size 265 zzuf[s=4,r=0.004]: launched file 266 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped 267 % 268 }}} 269 270 == 2.4. Ratio ranges == 271 272 When a seed range is being used with `-s`, a ratio range can be used with `-r`. Instead of using the same bit fuzzing ratio for each seed, `zzuf` will pick one at random within the specified interval: 273 274 {{{ 275 % zzuf -vc -s 0:5 -r 0.0001:0.01 file /bin/ls 276 zzuf[s=0,r=0.0001:0.01]: launched file 277 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped 278 zzuf[s=1,r=0.0001:0.01]: launched file 279 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked (uses shared libs), stripped 280 zzuf[s=2,r=0.0001:0.01]: launched file 281 /bin/ls: ERROR: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs)error reading 282 zzuf[s=3,r=0.0001:0.01]: launched file 283 /bin/ls: ERROR: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linkedCannot allocate memory for note (Cannot allocate memory) 284 zzuf[s=4,r=0.0001:0.01]: launched file 285 /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped 286 % 287 }}}
