SYNOPSIS
fuzz [-t|--timeout timeinsecs] [-p|--printable] [-n|--newlines N] [-l|--length totlen] [-m|--maxline maxlinelen] [-r|--runcount numruns] [-b|--bytes] [-c|--chroot] [-u|--user username] [-a|--args] [-o|--omitdata] [-e|--execute filename] [-x|--maxargs numargs] [-d|--dontask] [-y|--mararglen arglen] [-V|--version] [-i|--priority] target targetarg...
DESCRIPTION
fuzz is a program designed to find bugs in other programs. It does this by doing a form of black box testing. It does this by running the target program multiple times and passing it random input. Right now this can come from one of two places, stdin and the command line arguments. Testing completes whenever the program either the requested number of runs finishes successufully or the program crashes.Any arguments following the target program are passed directly to the target program.
NOTE: If the program is not in PATH, it must be referred to using absolute path.
OPTIONS
- -a, --args
-
In addition to passing random data via stdin, pass random command line
arguments. This simply sets the number or random arguments to be
passed to 256. See the
BUGS
section.
- -b, --bytes
-
In addition to counting through the number of runs. Count through the
bytes being sent through stdin to the program. This option really
serves no purpose other than making something interesting to watch.
- -c, --chroot
-
Since there is no telling what a program will do when given random
input. this allows a program to be sort of caged while it is run so
that the damage that it may be able to do is minimized. This requires
that the fuzz be run as root. It will drop privlages before it runs
the test program. This option is best used in conjunction with the
--user option. This often times requires that a program is
statically linked.
- -d, --dontask
-
In the cases where the target program is for sure part of a package and the
packaging information will provide the needed version information then you
can use this option to avoid being asked what the version is.
- -i, --priority
-
Run at a specified priority.
- -l, --length LENGTH
-
The length in bytes of the data stream to pass through stdin into the
target program. The default length is 100K.
- -m, --maxline MAXLINELEN
-
Specify the maximum line length within the random data stream passed
into stdin.
- -n, --newlines N
-
Include random N newlines in the input stream.
- -o, --omitdata
-
Some programs don't take input from stdin. They only take input from
the command line arguments. If this is the case simply use the
--omitdata option.
- -p, --printable
-
This limits both the stdin and the command line arguments to only
printable characters. By default fuzz passes fully random
bytes into the target program.
- -r, --runcount RUNCOUNT
-
The number of times to run the target program. The default is 10,000.
- -t, --timeout TIME
-
This sets the number of seconds that the fuzz will wait for the other
program before it assumes that the program is hung. The default value
is 120 seconds. This is sensing of when a program is hung is not
entirely reliable. See the
BUGS
section.
- -u, --user USERNAME
-
Since there is no telling what a program will do when given random
input, this specifies what user the target program will be run as so
that it is easy to find and repair anything that may have been
scribbled across your file system. This option was designed to be used
in conjuntion with the --chroot option and will only work if fuzz is
run as root.
- -V, --version
-
Print the version of fuzz and exit.
- -x. --maxargs NUMARGS
-
This is to set the maximum number of arguments that are passed to each
invocation of the target program.
- -y, --maxarglen ARGLEN
-
Sets the maximum length of an arguments passed to the target program.
EXAMPLES
Check grep:
- fuzz grep foo
Run program with different user:
- fuzz --chroot --user nobody cpio -i
When program is not in path, use absolute patch to access it:
- fuzz ./src/myprogram
BUGS
The random arg functions doesn't work very well right now. The arguments passed are so random that the program usually just prints out the usage message and then terminates. This will become much more useful later when we are mating data sets with the intention of maximizing code coverage.