47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
|
|
1. About Zzuf
|
|
|
|
Zzuf is a transparent application input fuzzer. It works by intercepting
|
|
file operations and changing random bits in the program's input. Zzuf's
|
|
behaviour is deterministic, making it easy to reproduce bugs.
|
|
|
|
|
|
2. Example
|
|
|
|
Fuzz the input of the "cat" program using default settings:
|
|
|
|
# zzuf cat /etc/motd
|
|
|
|
Fuzz 1% of the input bits of the "cat" program using seed 94324:
|
|
|
|
# zzuf -s 94324 -r 0.01 cat /etc/motd
|
|
|
|
Fuzz the input of the "convert" program, using file foo.jpeg as the original
|
|
input and restricting fuzzing to filenames matching the regular expression
|
|
"foo[.]jpeg" (because convert will also open its own configuration files and
|
|
we do not want zzuf to fuzz them):
|
|
|
|
# zzuf -i 'foo[.]jpeg' convert -- foo.jpeg -format tga /dev/null
|
|
|
|
Fuzz the input of VLC, using file movie.avi as the original input, and
|
|
generate fuzzy-movie.avi which is a file that can be fed to VLC to reproduce
|
|
the behaviour without using zzuf:
|
|
|
|
# zzuf -s 87423 -r 0.01 vlc movie.avi
|
|
|
|
# zzuf -s 87423 -r 0.01 cp movie.avi fuzzy-movie.avi
|
|
# vlc fuzzy-movie.avi
|
|
|
|
Fuzz the input of MPlayer and backup movies that caused it to crash:
|
|
|
|
# for seed in $(seq -w 0 9999); do
|
|
zzuf -s ${seed} -r 0.01 -i 'movie[.]avi' mplayer -- \
|
|
-benchmark -vo null -fps 1000 movie.avi >/dev/null 2>&1
|
|
RET=$?
|
|
if [ $RET != 0 ]; then
|
|
echo "seed ${seed}: exit $RET"
|
|
zzuf -s ${seed} -r 0.05 cp movie.avi movie-crashed-${seed}.avi
|
|
fi
|
|
done
|
|
|