libzzuf - helper library for the zzuf multiple purpose fuzzer
libzzuf is a helper library automatically preloaded by
zzuf when fuzzing applications, but it can also be used alone for
debugging purposes or specific cases that cannot be covered by
zzuf.
libzzuf must be preloaded using the operating system's
default way of preloading libraries. For instance, on a typical Linux
installation:
LD_PRELOAD=/usr/lib/zzuf/libzzuf.so
libzzuf's initial setup is done through environment
variables. After they are read, no further information can be sent to the
fuzzed process.
All environment variables are optional.
- ZZUF_DEBUG
- This environment variable is set to the debugging level. 0 means no
debugging information is sent to zzuf. 1 logs important information
as well as all diverted functions. 2 logs fuzzing status and all optional
file stream information.
- ZZUF_DEBUGFD
- This environment variable is set to a file descriptor where libzzuf
will send debugging information. This is used to send data to the main
zzuf controlling binary.
- ZZUF_SEED
- This variable is set to the initial random seed. Corresponding zzuf
flag: --seed.
- ZZUF_MINRATIO,
ZZUF_MAXRATIO
- These variables are set to the minimal and maximal fuzzing ratios.
Corresponding zzuf flag: --ratio.
- ZZUF_AUTOINC
- If this variable is set, the random seed is incremented each time a new
file is opened. Corresponding zzuf flag: --autoinc.
- ZZUF_BYTES
- This variable contains byte ranges to which fuzzing should be restricted.
Corresponding zzuf flag: --bytes.
- ZZUF_LIST
- This variable contains file descriptor ranges to which fuzzing should be
restricted. Corresponding zzuf flag: --list.
- ZZUF_NETWORK
- If this variable is set, network mode is activated. Corresponding
zzuf flag: --network.
- ZZUF_PORTS
- This variable contains port ranges to which fuzzing should be restricted.
Corresponding zzuf flag: --port.
- ZZUF_PROTECT,
ZZUF_REFUSE
- These variables contain character ranges to protect or refuse.
Corresponding zzuf flags: --protect, --refuse.
- ZZUF_INCLUDE,
ZZUF_EXCLUDE
- These variables contain regular expressions to indicate which files should
be included or excluded from the list of fuzzed files. Corresponding
zzuf flags: --include, --exclude.
- ZZUF_SIGNAL
- If this variable is set, the fuzzed process will be prevented from
installing signal handlers that usually cause coredumps. Corresponding
zzuf flag: --signal.
- ZZUF_MEMORY
- This variable contains the maximum amount of memory that the fuzzed
process is allowed to allocate. Corresponding zzuf flag:
--max-memory.
- ZZUF_STDIN
- If this variable is set, standard input will be fuzzed, too. Corresponding
zzuf flag: --stdin.
In order to intercept file and network operations, signal handlers
and memory allocations, libzzuf diverts and reimplements the
following functions, which can sometimes be private C library symbols,
too:
- Unix file descriptor
handling:
- open(), dup(), dup2(), lseek(), read(),
readv(), pread(), accept(), socket(),
recv(), recvfrom(), recvmsg(), aio_read(),
aio_return(), close()
- Standard IO
streams:
- fopen(), freopen(), fseek(), fseeko(),
rewind(), fread(), getc(), getchar(),
fgetc(), fgets(), ungetc(), fclose()
- Memory
management:
- mmap(), munmap(), malloc(), calloc(),
valloc(), free(), memalign(),
posix_memalign()
- Required on
Linux:
- open64(), lseek64(), mmap64(), _IO_getc(),
getline(), getdelim(), __getdelim(),
getc_unlocked(), getchar_unlocked(),
fgetc_unlocked(), fgets_unlocked(), fread_unlocked(),
__uflow()
- Required on BSD
systems:
- fgetln(), __srefill(), __srget()
- Required on Mac OS
X:
- map_fd()
- Required on
HP-UX:
- __open64(), __lseek64(), __filbuf()
- Required on
OpenSolaris:
- freopen64(), fseeko64(), fsetpos64()
- Signal handling:
- signal(), sigaction()
If an application manipulates file descriptors (reading data,
seeking around) using functions that are not in that list, libzzuf
will not fuzz its input consistently and the results should not be trusted.
You can use a tool such as ltrace(1) on Linux to know the missing
functions.
On BSD systems, such as FreeBSD or Mac OS X, __srefill() is
enough to monitor all standard IO streams functions. On other systems, such
as Linux, each function is reimplemented on a case by case basis. One
important unimplemented function is fscanf(), because of its
complexity. Missing functions will be added upon user request.
Copyright © 2002-2015 Sam Hocevar
<sam@hocevar.net>.
libzzuf and this manual page are free software. They come
without any warranty, to the extent permitted by applicable law. You can
redistribute them and/or modify them under the terms of the Do What the Fuck
You Want to Public License, Version 2, as published by the WTFPL Task Force.
See http://www.wtfpl.net/ for more details.
zzuf's webpage can be found at
http://caca.zoy.org/wiki/zzuf. An overview of the architecture and
inner works is at http://caca.zoy.org/wiki/zzuf/internals.