source: zzuf/trunk/doc/zzuf.1 @ 1531

Last change on this file since 1531 was 1531, checked in by Sam Hocevar, 15 years ago
  • Alphabetise flags in help output and manpage.
File size: 5.6 KB
Line 
1.TH zzuf 1 "2006-12-22" "zzuf"
2.SH NAME
3zzuf \- multiple purpose fuzzer
4.SH SYNOPSIS
5.B zzuf
6[
7.B \-vqdhic
8] [
9.B \-r
10.I ratio
11] [
12.B \-s
13.I seed
14|
15.B \-s
16.I start:stop
17]
18.PD 0
19.IP
20.PD
21[
22.B \-F
23.I children
24] [
25.B \-B
26.I bytes
27] [
28.B \-T
29.I seconds
30]
31.PD 0
32.IP
33.PD
34[
35.B \-I
36.I include
37] [
38.B \-E
39.I exclude
40]
41.I COMMAND [ARGS]...
42.RI
43.SH DESCRIPTION
44.B Zzuf
45is a transparent application input fuzzer. It works by intercepting
46file operations and changing random bits in the program's input.
47.B Zzuf's
48behaviour is deterministic, making it easy to reproduce bugs.
49.RI
50.SH USAGE
51.B Zzuf
52will run an application specified on its command line, one or several times,
53with optional arguments, and will report the application's behaviour on
54the standard output.
55
56If you want to specify arguments for your application, put a
57.B \-\-
58marker before them on the command line, or
59.B zzuf
60will try to interpret them as arguments for itself.
61.RI
62.SH OPTIONS
63.TP
64.B \-B, \-\-max\-bytes <n>
65Automatically terminate child processes that output more than
66.B <n>
67bytes on the standard output and standard error channels. This is useful to
68detect infinite loops.
69.TP
70.B \-c, \-\-cmdline
71Only fuzz files whose name is specified in the target application's command
72line. This is mostly a shortcut to avoid specifiying twice the argument:
73.B zzuf \-c cat file.txt
74has the same effect as
75.B zzuf \-I "^file\\.txt$" cat
76.BR file.txt .
77See the
78.B \-I
79flag for more information.
80.TP
81.B \-d, \-\-debug
82Activate the display of debug messages.
83.TP
84.B \-E, \-\-exclude <regex>
85Do not fuzz files whose name matches the
86.B <regex>
87regular expression. This option supersedes anything that is specified by the
88.B \-\-exclude
89flag. Use this for instance if you do not know for sure what files your
90application is going to read, but do not want it to fuzz files in the
91.B /etc
92directory.
93
94Multiple
95.B \-E
96flags can be specified, in which case files matching any one of the regular
97expressions will be ignored.
98.TP
99.B \-F, \-\-fork <children>
100Specify the number of simultaneous children that can be run. This option is
101only useful if the
102.B \-s
103flag is used with an interval argument.
104.TP
105.B \-h, \-\-help
106Display a short help message and exit.
107.TP
108.B \-i, \-\-stdin
109Fuzz the application's standard input. By default
110.B zzuf
111only fuzzes files.
112.TP
113.B \-I, \-\-include <regex>
114Only fuzz files whose name matches the
115.B <regex>
116regular expression. Use this for instance if your application reads
117configuration files at startup and you only want specific files to be fuzzed.
118
119Multiple
120.B \-I
121flags can be specified, in which case files matching any one of the regular
122expressions will be fuzzed.
123.TP
124.B \-q, \-\-quiet
125Hide the output of the fuzzed application. This is useful if the application
126is very verbose but only its exit code is really useful to you.
127.TP
128.B \-r, \-\-ratio <ratio>
129Specify the amount of bits that will be randomly fuzzed. A value of 0
130will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
131bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
132the input files undiscernible from random data. The default fuzzing ratio
133is 0.004 (fuzz 0.4% of the files' bits).
134.TP
135.B \-s, \-\-seed <seed>
136.PD 0
137.TP
138.B \-s, \-\-seed <start:stop>
139.PD
140Specify the random seed to use for fuzzing, or an interval of random seeds.
141Running
142.B zzuf
143twice with the same random seed will fuzz the files exactly the same way,
144even with a different target application. The purpose of this is to use
145simple utilities such as
146.B cat
147or
148.B cp
149to generate a file that causes the target application to crash.
150
151If an interval is specified,
152.B zzuf
153will run the application several times, each time with a different seed, and
154report the behaviour of each run.
155.TP
156.B \-T, \-\-max\-time <n>
157Automatically terminate child processes that run for more than
158.B <n>
159seconds. This is useful to detect infinite loops or processes stuck in other
160situations.
161.TP
162.B \-v, \-\-version
163Output version information and exit.
164.RI
165.SH EXAMPLES
166Fuzz the input of the
167.B cat
168program using default settings:
169.nf
170
171.B % zzuf cat /etc/motd
172
173.fi
174Fuzz 1% of the input bits of the
175.B cat
176program using seed 94324:
177.nf
178
179.B % zzuf -s 94324 -r 0.01 cat /etc/motd
180
181.fi
182Fuzz the input of the
183.B convert
184program, using file
185.B foo.jpeg
186as the original input and excluding
187.B .xml
188files from fuzzing (because
189.B convert
190will also open its own configuration files and we do not want
191.B zzuf
192to fuzz them):
193.nf
194
195.B % zzuf -E "\\.xml$" convert -- foo.jpeg -format tga /dev/null
196
197.fi
198Fuzz the input of
199.BR vlc ,
200using file
201.B movie.avi
202as the original input and restricting fuzzing to filenames that appear on
203the command line, then generate
204.B fuzzy-movie.avi
205which is a file that can be fed to
206.B vlc
207to reproduce the same behaviour without using
208.BR zzuf :
209.fn
210
211.B % zzuf -c -s 87423 -r 0.01 vlc movie.avi
212
213.B % zzuf -c -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi
214
215.B % vlc fuzzy-movie.avi
216
217.fi
218Fuzz
219.BR mplayer 's
220input with seeds 0 to 9999, launching up to 3 simultaneous child processes
221and killing
222.BR mplayer
223if it takes more than one minute to read the file:
224.fn
225
226.B % zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 mplayer movie.avi -- -benchmark -vo null -fps 1000
227
228.fi
229.RI
230.SH BUGS
231Only the most common file operations are implemented as of now:
232.BR open (),
233.BR read (),
234.BR fopen (),
235.BR fseek (),
236etc. One important unimplemented function is
237.BR fscanf ().
238
239Network fuzzing is not implemented. It is not yet possible to insert or
240drop bytes from the input, to fuzz according to the file format, or to do
241all these complicated operations. They are planned, though.
242.RI
243.SH AUTHOR
244.B Zzuf
245and this manual page were written by Sam Hocevar <sam@zoy.org>. There is a
246webpage available at http://sam.zoy.org/zzuf/
Note: See TracBrowser for help on using the repository browser.