* Wrote a manpage. Phew.

2006-12-22 16:36:30 +00:00 · 2006-12-22 16:36:30 +00:00 · c95059bb66
commit c95059bb66
parent 728cfe90bf
4 changed files with 214 additions and 1 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -1,6 +1,6 @@
 SUBDIRS = src
-DIST_SUBDIRS = $(SUBDIRS) test
+DIST_SUBDIRS = $(SUBDIRS) test doc
 EXTRA_DIST = bootstrap AUTHORS
 AUTOMAKE_OPTIONS = foreign dist-bzip2
--- a/configure.ac
+++ b/configure.ac
@ -43,6 +43,7 @@ CFLAGS="${CFLAGS} -Wall -Wpointer-arith -Wcast-align -Wcast-qual -Wstrict-protot
 AC_OUTPUT([
  Makefile
  src/Makefile
  doc/Makefile
  test/Makefile
 ])
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -0,0 +1,6 @@
 # $Id: Makefile.am 871 2006-09-25 15:58:33Z sam $
 EXTRA_DIST = zzuf.1
 man_MANS = zzuf.1
--- a/doc/zzuf.1
+++ b/doc/zzuf.1
@ -0,0 +1,206 @@
 .TH zzuf 1 "2006-12-22" "zzuf"
 .SH NAME
 zzuf \- multiple purpose fuzzer
 .SH SYNOPSIS
 .B zzuf
 [
 .B \-vqdh
 ] [
 .B \-r
 .I ratio
 ] [
 .B \-s
 .I seed[:stop]
 ] [
 .B \-F
 .I children
 ]
 .PD 0
 .IP
 .PD
 [
 .B \-B
 .I bytes
 ] [
 .B \-T
 .I seconds
 ]
 .PD 0
 .IP
 .PD
 [
 .B \-i
 .I include
 ] [
 .B \-e
 .I exclude
 ]
 .I COMMAND [ARGS]...
 .RI
 .SH DESCRIPTION
 .B Zzuf
 is a transparent application input fuzzer. It works by intercepting
 file operations and changing random bits in the program's input.
 .B Zzuf's
 behaviour is deterministic, making it easy to reproduce bugs.
 .RI
 .SH USAGE
 .B Zzuf
 will run an application specified on its command line, one or several times,
 with optional arguments, and will report the application's behaviour on
 the standard output.
 If you want to specify arguments for your application, put a
 .B \-\-
 marker before them on the command line, or
 .B zzuf
 will try to interpret them as arguments for itself.
 .RI
 .SH OPTIONS
 .TP
 .B \-r, \-\-ratio <ratio>
 Specify the amount of bits that will be randomly fuzzed. A value of 0
 will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
 bits. A value of 1.0 or more will fuzz all the bytes, theoretically making
 the input files undiscernible from random data. The default fuzzing ratio
 is 0.004 (fuzz 0.4% of the files' bits).
 .TP
 .B \-s, \-\-seed <seed>
 .PD 0
 .TP
 .B \-s, \-\-seed <start:stop>
 .PD
 Specify the random seed to use for fuzzing, or an interval of random seeds.
 Running
 .B zzuf
 twice with the same random seed will fuzz the files exactly the same way,
 even with a different target application. The purpose of this is to use
 simple utilities such as
 .B cat
 or
 .B cp
 to generate a file that causes the target application to crash.
 If an interval is specified,
 .B zzuf
 will run the application several times, each time with a different seed, and
 report the behaviour of each run.
 .TP
 .B \-F, \-\-fork <children>
 Specify the number of simultaneous children that can be run. This option is
 only useful if the
 .B \-s
 flag is used with an interval argument.
 .TP
 .B \-B, \-\-max\-bytes <n>
 Automatically terminate child processes that output more than
 .B <n>
 bytes on the standard output and standard error channels. This is useful to
 detect infinite loops.
 .TP
 .B \-T, \-\-max\-time <n>
 Automatically terminate child processes that run for more than
 .B <n>
 seconds. This is useful to detect infinite loops or processes stuck in other
 situations.
 .TP
 .B \-q, \-\-quiet
 Hide the output of the fuzzed application. This is useful if the application
 is very verbose but only its exit code is really useful to you.
 .TP
 .B \-i, \-\-include <regex>
 Only fuzz files whose name matches the
 .B <regex>
 regular expression. Use this for instance if your application reads
 configuration files in many places and you do not want them to be fuzzed.
 .TP
 .B \-e, \-\-exclude <regex>
 Do not fuzz files whose name matches the
 .B <regex>
 regular expression. This option supersedes anything that is specified by the
 .B \-\-exclude
 flag. Use this for instance if you do not know for sure what files your
 application is going to read, but do not want it to fuzz files in the
 .B /etc
 directory.
 .TP
 .B \-d, \-\-debug
 Activate the display of debug messages.
 .TP
 .B \-h, \-\-help
 Display a short help message and exit.
 .TP
 .B \-v, \-\-version
 Output version information and exit.
 .RI
 .SH EXAMPLES
 Fuzz the input of the
 .B cat
 program using default settings:
 .nf
 .B % zzuf cat /etc/motd
 .fi
 Fuzz 1% of the input bits of the
 .B cat
 program using seed 94324:
 .nf
 .B % zzuf -s 94324 -r 0.01 cat /etc/motd
 .fi
 Fuzz the input of the
 .B convert
 program, using file
 .B foo.jpeg
 as the original input and restricting fuzzing to filenames matching the
 regular expression
 .B "foo[.]jpeg"
 (because
 .B convert
 will also open its own configuration files and we do not want
 .B zzuf
 to fuzz them):
 .nf
 .B % zzuf -i "foo[.]jpeg" convert -- foo.jpeg -format tga /dev/null
 .fi
 Fuzz the input of
 .BR vlc ,
 using file
 .B movie.avi
 as the original input, and generate
 .B fuzzy-movie.avi
 which is a file that can be fed to
 .B vlc
 to reproduce the same behaviour without using
 .BR zzuf :
 .fn
 .B % zzuf -s 87423 -r 0.01 vlc movie.avi
 .B % zzuf -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi
 .B % vlc fuzzy-movie.avi
 .fi
 .RI
 .SH BUGS
 Only the most common file operations are implemented as of now:
 .BR open (),
 .BR read (),
 .BR fopen (),
 .BR fseek (),
 etc. One important unimplemented function is
 .BR fopen ().
 Network fuzzing is not implemented. It is not yet possible to insert or
 drop bytes from the input, to fuzz according to the file format, or to do
 all these complicated operations. They are planned, though.
 .RI
 .SH AUTHOR
 .B Zzuf
 and this manual page were written by Sam Hocevar <sam@zoy.org>. There is a
 webpage available at http://sam.zoy.org/zzuf/