1libzzuf(3)                 Library Functions Manual                 libzzuf(3)
2
3
4

NAME

6       libzzuf - helper library for the zzuf multiple purpose fuzzer
7

DESCRIPTION

9       libzzuf  is  a  helper  library  automatically  preloaded  by zzuf when
10       fuzzing applications, but it can also be used alone for debugging  pur‐
11       poses or specific cases that cannot be covered by zzuf.
12

USAGE

14       libzzuf  must  be preloaded using the operating system's default way of
15       preloading libraries. For instance, on a typical Linux installation:
16
17           LD_PRELOAD=/usr/lib/zzuf/libzzuf.so
18

ENVIRONMENT VARIABLES

20       libzzuf's initial setup is done through  environment  variables.  After
21       they  are  read,  no  further  information  can  be  sent to the fuzzed
22       process.
23
24       All environment variables are optional.
25
26       ZZUF_DEBUG
27              This environment variable is set to the debugging level. 0 means
28              no  debugging  information  is  sent  to  zzuf. 1 logs important
29              information as well as all diverted functions.  2  logs  fuzzing
30              status and all optional file stream information.
31
32       ZZUF_DEBUGFD
33              This  environment  variable  is  set  to a file descriptor where
34              libzzuf will send debugging information. This is  used  to  send
35              data to the main zzuf controlling binary.
36
37       ZZUF_SEED
38              This  variable  is set to the initial random seed. Corresponding
39              zzuf flag: --seed.
40
41       ZZUF_MINRATIO, ZZUF_MAXRATIO
42              These variables are set  to  the  minimal  and  maximal  fuzzing
43              ratios.  Corresponding zzuf flag: --ratio.
44
45       ZZUF_AUTOINC
46              If  this  variable  is  set, the random seed is incremented each
47              time a new file is opened. Corresponding zzuf flag: --autoinc.
48
49       ZZUF_BYTES
50              This variable contains byte ranges to which  fuzzing  should  be
51              restricted.  Corresponding zzuf flag: --bytes.
52
53       ZZUF_LIST
54              This  variable  contains file descriptor ranges to which fuzzing
55              should be restricted. Corresponding zzuf flag: --list.
56
57       ZZUF_NETWORK
58              If this variable is set, network mode is activated.  Correspond‐
59              ing zzuf flag: --network.
60
61       ZZUF_PORTS
62              This  variable  contains  port ranges to which fuzzing should be
63              restricted.  Corresponding zzuf flag: --port.
64
65       ZZUF_PROTECT, ZZUF_REFUSE
66              These variables contain character ranges to protect  or  refuse.
67              Corresponding zzuf flags: --protect, --refuse.
68
69       ZZUF_INCLUDE, ZZUF_EXCLUDE
70              These  variables  contain  regular expressions to indicate which
71              files should be included or excluded from  the  list  of  fuzzed
72              files. Corresponding zzuf flags: --include, --exclude.
73
74       ZZUF_SIGNAL
75              If  this  variable  is set, the fuzzed process will be prevented
76              from installing signal handlers that  usually  cause  coredumps.
77              Corresponding zzuf flag: --signal.
78
79       ZZUF_MEMORY
80              This  variable  contains  the  maximum amount of memory that the
81              fuzzed process is allowed to allocate. Corresponding zzuf  flag:
82              --max-memory.
83
84       ZZUF_STDIN
85              If  this  variable  is  set, standard input will be fuzzed, too.
86              Corresponding zzuf flag: --stdin.
87

NOTES

89       In order to intercept file and network operations, signal handlers  and
90       memory  allocations,  libzzuf  diverts  and  reimplements the following
91       functions, which can sometimes be private C library symbols, too:
92
93       Unix file descriptor handling:
94              open(),  dup(),  dup2(),  lseek(),  read(),  readv(),   pread(),
95              accept(),  socket(),  recv(), recvfrom(), recvmsg(), aio_read(),
96              aio_return(), close()
97
98       Standard IO streams:
99              fopen(),  freopen(),  fseek(),  fseeko(),   rewind(),   fread(),
100              getc(), getchar(), fgetc(), fgets(), ungetc(), fclose()
101
102       Memory management:
103              mmap(),  munmap(),  malloc(),  calloc(), valloc(), free(), mema‐
104              lign(), posix_memalign()
105
106       Required on Linux:
107              open64(), lseek64(),  mmap64(),  _IO_getc(),  getline(),  getde‐
108              lim(),    __getdelim(),   getc_unlocked(),   getchar_unlocked(),
109              fgetc_unlocked(), fgets_unlocked(), fread_unlocked(), __uflow()
110
111       Required on BSD systems:
112              fgetln(), __srefill(), __srget()
113
114       Required on Mac OS X:
115              map_fd()
116
117       Required on HP-UX:
118              __open64(), __lseek64(), __filbuf()
119
120       Required on OpenSolaris:
121              freopen64(), fseeko64(), fsetpos64()
122
123       Signal handling:
124              signal(), sigaction()
125
126       If an application manipulates file descriptors (reading  data,  seeking
127       around)  using  functions  that  are not in that list, libzzuf will not
128       fuzz its input consistently and the results should not be trusted.  You
129       can  use  a  tool  such as ltrace(1) on Linux to know the missing func‐
130       tions.
131
132       On BSD systems, such as FreeBSD or Mac OS X, __srefill() is  enough  to
133       monitor  all  standard  IO streams functions. On other systems, such as
134       Linux, each function is reimplemented on a  case  by  case  basis.  One
135       important  unimplemented  function is fscanf(), because of its complex‐
136       ity. Missing functions will be added upon user request.
137

SEE ALSO

139       zzuf(1), ld.so(8)
140

AUTHOR

142       Copyright © 2002-2015 Sam Hocevar <sam@hocevar.net>.
143
144       libzzuf and this manual page are free software. They come  without  any
145       warranty,  to  the  extent  permitted by applicable law. You can redis‐
146       tribute them and/or modify them under the terms of the Do What the Fuck
147       You  Want  to Public License, Version 2, as published by the WTFPL Task
148       Force. See http://www.wtfpl.net/ for more details.
149
150       zzuf's webpage can be found at http://caca.zoy.org/wiki/zzuf.  An over‐
151       view     of    the    architecture    and    inner    works    is    at
152       http://caca.zoy.org/wiki/zzuf/internals.
153
154
155
156libzzuf 0.15                      2015-01-06                        libzzuf(3)
Impressum