libzzuf - helper library for the zzuf multiple purpose fuzzer
libzzuf is a helper library automatically preloaded by zzuf when
fuzzing applications, but it can also be used alone for debugging
purposes or specific cases that cannot be covered by zzuf.
libzzuf must be preloaded using the operating system's default way of
preloading libraries. For instance, on a typical Linux installation:
libzzuf's initial setup is done through environment variables. After
they are read, no further information can be sent to the fuzzed
All environment variables are optional.
This environment variable is set to the debugging level. 0 means
no debugging information is sent to zzuf. 1 logs important
information as well as all diverted functions. 2 logs fuzzing
status and all optional file stream information.
This environment variable is set to a file descriptor where
libzzuf will send debugging information. This is used to send
data to the main zzuf controlling binary.
This variable is set to the initial random seed. Corresponding
zzuf flag: --seed.
These variables are set to the minimal and maximal fuzzing
ratios. Corresponding zzuf flag: --ratio.
If this variable is set, the random seed is incremented each
time a new file is opened. Corresponding zzuf flag: --autoinc.
This variable contains byte ranges to which fuzzing should be
restricted. Corresponding zzuf flag: --bytes.
This variable contains file descriptor ranges to which fuzzing
should be restricted. Corresponding zzuf flag: --list.
If this variable is set, network mode is activated.
Corresponding zzuf flag: --network.
This variable contains port ranges to which fuzzing should be
restricted. Corresponding zzuf flag: --port.
These variables contain character ranges to protect or refuse.
Corresponding zzuf flags: --protect, --refuse.
These variables contain regular expressions to indicate which
files should be included or excluded from the list of fuzzed
files. Corresponding zzuf flags: --include, --exclude.
If this variable is set, the fuzzed process will be prevented
from installing signal handlers that usually cause coredumps.
Corresponding zzuf flag: --signal.
This variable contains the maximum amount of memory that the
fuzzed process is allowed to allocate. Corresponding zzuf flag:
If this variable is set, standard input will be fuzzed, too.
Corresponding zzuf flag: --stdin.
In order to intercept file and network operations, signal handlers and
memory allocations, libzzuf diverts and reimplements the following
functions, which can sometimes be private C library symbols, too:
Unix file descriptor handling:
open(), dup(), dup2(), lseek(), read(), readv(), pread(),
accept(), socket(), recv(), recvfrom(), recvmsg(), aio_read(),
Standard IO streams:
fopen(), freopen(), fseek(), fseeko(), rewind(), fread(),
getc(), getchar(), fgetc(), fgets(), ungetc(), fclose()
mmap(), munmap(), malloc(), calloc(), valloc(), free(),
Required on Linux:
open64(), lseek64(), mmap64(), _IO_getc(), getline(),
getdelim(), __getdelim(), getc_unlocked(), getchar_unlocked(),
fgetc_unlocked(), fgets_unlocked(), fread_unlocked(), __uflow()
Required on BSD systems:
fgetln(), __srefill(), __srget()
Required on Mac OS X:
Required on HP-UX:
__open64(), __lseek64(), __filbuf()
Required on OpenSolaris:
freopen64(), fseeko64(), fsetpos64()
If an application manipulates file descriptors (reading data, seeking
around) using functions that are not in that list, libzzuf will not
fuzz its input consistently and the results should not be trusted. You
can use a tool such as ltrace(1) on Linux to know the missing
On BSD systems, such as FreeBSD or Mac OS X, __srefill() is enough to
monitor all standard IO streams functions. On other systems, such as
Linux, each function is reimplemented on a case by case basis. One
important unimplemented function is fscanf(), because of its
complexity. Missing functions will be added upon user request.
Copyright © 2002-2010 Sam Hocevar <email@example.com>.
libzzuf and this manual page are free software. They come without any
warranty, to the extent permitted by applicable law. You can
redistribute them and/or modify them under the terms of the Do What The
Fuck You Want To Public License, Version 2, as published by Sam
Hocevar. See http://sam.zoy.org/wtfpl/COPYING for more details.
zzuf's webpage can be found at http://caca.zoy.org/wiki/zzuf. An
overview of the architecture and inner works is at