Multi Purpose Fuzzer: zzuf

ID N0WHERE:31353
Type n0where
Reporter N0where
Modified 2015-05-26T01:15:58


Multi Purpose Fuzzer

zzuf is a transparent application input fuzzer. Its purpose is to find bugs in applications by corrupting their user-contributed data (which more than often comes from untrusted sources on the Internet). It works by intercepting file and network operations and changing random bits in the program’s input. zzuf’s behaviour is deterministic, making it easier to reproduce bugs. Its main areas of use are:

  • quality assurance : use zzuf to test existing software, or integrate it into your own software’s testsuite
  • security : very often, segmentation faults or memory corruption issues mean a potential security hole, zzuf helps exposing some of them
  • code coverage analysis : use zzuf to maximise code coverage

zzuf’s primary target is media players, image viewers and web browsers, because the data they process is inherently insecure, but it was also successfully used to find bugs in system utilities such as objdump.

zzuf is not rocket science: the idea of fuzzing input data is barely new, but zzuf’s main purpose is to make things easier and automated.

Documentation Multi Purpose Fuzzer: zzuf Multi Purpose Fuzzer: zzuf

The zzuf tutorial is a hands-on guide to the most important zzuf features. It starts with the working principles but goes on with very advanced uses of the tool.

Warning: this tutorial requires zzuf version 0.11 or later.

  1. Basic zzuf usage
    1.1. Launching zzuf
    1.2. Invoking different programs
    1.3. The fuzzing ratio
    1.4. The random seed
    1.5. Creating fuzzed files
  2. zzuf as a batch testing tool
    2.1. Debug mode
    2.2. Include and exclude patterns
    2.3. Seed ranges
    2.4. Ratio ranges

Architecture overview

The zzuf software consists in two parts:

  • The zzuf executable
  • The libzzuf shared library

Here is the global workflow when zzuf fuzzes a process:

  • zzuf reads options from the command line.
  • zzuf writes fuzzing information to the environment
  • zuff preloads libzzuf into the called process and executes it
  • libzzuf reads fuzzing information from the envronment
  • libzzuf diverts standard function calls with its own ones
  • the called process runs normally, but any diverted call goes through libzzuf first

Multi Purpose Fuzzer: zzuf download Multi Purpose Fuzzer: zzuf