Section: C Library Functions (3)Updated: 2008-06-10Local indexUp
NAME
libzzuf - helper library for the zzuf multiple purpose fuzzer
DESCRIPTION
libzzuf is a helper library automatically preloaded by zzuf when
fuzzing applications, but it can also be used alone for debugging purposes or
specific cases that cannot be covered by zzuf.
USAGE
libzzuf must be preloaded using the operating system's default way of
preloading libraries. For instance, on a typical Linux installation:
LD_PRELOAD=/usr/lib/zzuf/libzzuf.so
ENVIRONMENT VARIABLES
libzzuf's initial setup is done through environment variables. After
they are read, no further information can be sent to the fuzzed process.
All environment variables are optional.
ZZUF_DEBUG
This environment variable is set to a file descriptor where libzzuf will
send debugging information. This is used to send data to the main zzuf
controlling binary.
ZZUF_SEED
This variable is set to the initial random seed. Corresponding zzuf flag:
--seed.
ZZUF_MINRATIO, ZZUF_MAXRATIO
These variables are set to the minimal and maximal fuzzing ratios.
Corresponding zzuf flag: --ratio.
ZZUF_AUTOINC
If this variable is set, the random seed is incremented each time a new
file is opened. Corresponding zzuf flag: --autoinc.
ZZUF_BYTES
This variable contains byte ranges to which fuzzing should be restricted.
Corresponding zzuf flag: --bytes.
ZZUF_LIST
This variable contains file descriptor ranges to which fuzzing should be
restricted. Corresponding zzuf flag: --list.
ZZUF_NETWORK
If this variable is set, network mode is activated. Corresponding zzuf
flag: --network.
ZZUF_PORTS
This variable contains port ranges to which fuzzing should be restricted.
Corresponding zzuf flag: --port.
ZZUF_PROTECT, ZZUF_REFUSE
These variables contain character ranges to protect or refuse. Corresponding
zzuf flags: --protect, --refuse.
ZZUF_INCLUDE, ZZUF_EXCLUDE
These variables contain regular expressions to indicate which files should be
included or excluded from the list of fuzzed files. Corresponding zzuf
flags: --include, --exclude.
ZZUF_SIGNAL
If this variable is set, the fuzzed process will be prevented from installing
signal handlers that usually cause coredumps. Corresponding zzuf flag:
--signal.
ZZUF_MEMORY
This variable contains the maximum amount of memory that the fuzzed process
is allowed to allocate. Corresponding zzuf flag: --max-memory.
ZZUF_STDIN
If this variable is set, standard input will be fuzzed, too. Corresponding
zzuf flag: --stdin.
NOTES
In order to intercept file and network operations, signal handlers and memory
allocations, libzzuf diverts and reimplements the following functions,
which can sometimes be private C library symbols, too:
If an application manipulates file descriptors (reading data, seeking around)
using functions that are not in that list, libzzuf will not fuzz its
input consistently and the results should not be trusted. You can use a tool
such as ltrace(1) on Linux to know the missing functions.
On BSD systems, such as FreeBSD or Mac OS X, __srefill() is enough to
monitor all standard IO streams functions. On other systems, such as Linux,
each function is reimplemented on a case by case basis. One important
unimplemented function is fscanf(), because of its complexity. Missing
functions will be added upon user request.
libzzuf and this manual page are free software. They come without any
warranty, to the extent permitted by applicable law. You can redistribute
them and/or modify them under the terms of the Do What The Fuck You Want
To Public License, Version 2, as published by Sam Hocevar. See
http://sam.zoy.org/wtfpl/COPYING for more details.