From ebf935c11dfc69f1e2e267106e66e8e84465ee7e Mon Sep 17 00:00:00 2001 From: Sam Hocevar Date: Fri, 5 Jan 2007 21:33:28 +0000 Subject: [PATCH] * Split the bugs manpage section into bugs and restrictions. * Listed diverted functions. --- doc/zzuf.1 | 60 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/doc/zzuf.1 b/doc/zzuf.1 index 2df82c0..9198dbd 100644 --- a/doc/zzuf.1 +++ b/doc/zzuf.1 @@ -16,8 +16,8 @@ zzuf \- multiple purpose fuzzer .SH DESCRIPTION .PP \fBZzuf\fR is a transparent application input fuzzer. It works by intercepting -file operations and changing random bits in the program's input. \fBZzuf\fR's -behaviour is deterministic, making it easy to reproduce bugs. +file and network operations and changing random bits in the program's input. +\fBZzuf\fR's behaviour is deterministic, making it easy to reproduce bugs. .SH USAGE .PP \fBZzuf\fR will run an application specified on its command line, one or @@ -48,7 +48,8 @@ has the same effect as \fB zzuf \-I \(aq^file\\.txt$\(aq cat file.txt\fR -See the \fB\-I\fR flag for more information. +See the \fB\-I\fR flag for more information on restricting fuzzing to +specific files. .TP \fB\-d\fR, \fB\-\-debug\fR Activate the display of debug messages. @@ -182,7 +183,7 @@ Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324: .PP \fB zzuf -s 94324 -r 0.01 cat /etc/motd\fR .PP -Fuzz the input of the \fBcat\fR program but do not fuzz the newline character +Fuzz the input of the \fBcat\fR program but do not fuzz newline characters and prevent non-ASCII characters from appearing in the output: .PP \fB zzuf -P \(aq\\n\(aq -R \(aq\\x00-\\x1f\\x7f-\\xff\(aq cat /etc/motd\fR @@ -212,36 +213,53 @@ and disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR): .PP \fB zzuf -c -q -s 0:10000 -F 3 -T 60 -r 0.02 \\\fR \fB mplayer -- -benchmark -vo null -fps 1000 movie.avi\fR -.SH BUGS +.SH RESTRICTIONS .PP Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child processes, it will fail in the presence of any mechanism that disables preloading. For instance setuid root binaries will not be fuzzed when run -as an unprivileged user. This limitation will probably not be addressed. -.PP -It is not yet possible to insert or drop bytes from the input, to fuzz -according to the file format, or to do all these complicated operations. These -features are planned. -.PP -Only the most common file operations are implemented: \fBopen\fR(), -\fBread\fR(), \fBfopen\fR(), \fBfseek\fR(), etc. One important unimplemented -function is \fBfscanf\fR(). These features will be implemented based on user -request. -.PP -As of now, \fBzzuf\fR does not really support multithreaded applications. The -behaviour with multithreaded applications where more than one thread does file -descriptor operations is undefined. This bug will be fixed. +as an unprivileged user. .PP Though best efforts are made, identical behaviour for different versions of \fBzzuf\fR is not guaranteed. The reproducibility for subsequent calls on different operating systems and with different target programs is only -guaranteed when the same version of \fBzzuf\fR is used. +guaranteed when the same version of \fBzzuf\fR is being used. +.SH BUGS +.PP +It is not yet possible to insert or drop bytes from the input, to fuzz +according to the file format, to swap bytes, etc. More advanced fuzzing +methods are planned. +.PP +As of now, \fBzzuf\fR does not really support multithreaded applications. The +behaviour with multithreaded applications where more than one thread does file +descriptor operations is undefined. +.SH NOTES +In order to intercept file and network operations, \fBzzuf\fR diverts and +reimplements the following functions: +.TP +Unix low-level file and socket handling: +\fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBaccept\fR(), \fBsocket\fR(), +\fBclose\fR() +.TP +Standard IO streams: +\fBfopen\fR(), \fBfseek\fR(), \fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), +\fBfgets\fR(), \fBungetc\fR(), \fBfclose\fR() +.TP +GNU libc specific: +\fBopen64\fR(), \fBlseek64\fR(), \fBgetline\fR(), \fBgetdelim\fR(), +\fB__getdelim\fR() +.TP +BSD specific: +\fBfgetln\fR() +.PP +One important unimplemented function is \fBfscanf\fR() because of its +important complexity. Missing functions will be implemented based upon user +request. .SH HISTORY .PP \fBZzuf\fR started its life in 2002 as the \fBstreamfucker\fR tool, a small multimedia stream corrupter used to find bugs in the \fBVLC\fR media player. -\fBZzuf\fR is a complete rewrite of that tool. .SH AUTHOR .PP Copyright \(co 2006, 2007 Sam Hocevar .