fuzz

FUZZ(1)                     General Commands Manual                    FUZZ(1)



NAME
       fuzz - stress test programs


SYNOPSIS
       fuzz [-t|--timeout timeinsecs] [-p|--printable] [-n|--newlines N]
       [-l|--length totlen] [-m|--maxline maxlinelen] [-r|--runcount numruns]
       [-b|--bytes] [-c|--chroot] [-u|--user username] [-a|--args]
       [-o|--omitdata] [-e|--execute filename] [-x|--maxargs numargs]
       [-d|--dontask] [-y|--mararglen arglen] [-V|--version] [-i|--priority]
       target targetarg...


DESCRIPTION
       fuzz is a program designed to find bugs in other programs. It does this
       by doing a form of black box testing. It does this by running the
       target program multiple times and passing it random input. Right now
       this can come from one of two places, stdin and the command line
       arguments. Testing completes whenever the program either the requested
       number of runs finishes successufully or the program crashes.

       Any arguments following the target program are passed directly to the
       target program.

       NOTE: If the program is not in PATH, it must be referred to using
       absolute path.


   OPTIONS
       -a, --args
              In addition to passing random data via stdin, pass random
              command line arguments. This simply sets the number or random
              arguments to be passed to 256. See the BUGS section.


       -b, --bytes
              In addition to counting through the number of runs. Count
              through the bytes being sent through stdin to the program. This
              option really serves no purpose other than making something
              interesting to watch.


       -c, --chroot
              Since there is no telling what a program will do when given
              random input. this allows a program to be sort of caged while it
              is run so that the damage that it may be able to do is
              minimized. This requires that the fuzz be run as root. It will
              drop privlages before it runs the test program. This option is
              best used in conjunction with the --user option. This often
              times requires that a program is statically linked.


       -d, --dontask
              In the cases where the target program is for sure part of a
              package and the packaging information will provide the needed
              version information then you can use this option to avoid being
              asked what the version is.


       -i, --priority
              Run at a specified priority.


       -l, --length LENGTH
              The length in bytes of the data stream to pass through stdin
              into the target program. The default length is 100K.


       -m, --maxline MAXLINELEN
              Specify the maximum line length within the random data stream
              passed into stdin.


       -n, --newlines N
              Include random N newlines in the input stream.


       -o, --omitdata
              Some programs don't take input from stdin. They only take input
              from the command line arguments. If this is the case simply use
              the --omitdata option.


       -p, --printable
              This limits both the stdin and the command line arguments to
              only printable characters. By default fuzz passes fully random
              bytes into the target program.


       -r, --runcount RUNCOUNT
              The number of times to run the target program. The default is
              10,000.


       -t, --timeout TIME
              This sets the number of seconds that the fuzz will wait for the
              other program before it assumes that the program is hung. The
              default value is 120 seconds. This is sensing of when a program
              is hung is not entirely reliable. See the BUGS section.


       -u, --user USERNAME
              Since there is no telling what a program will do when given
              random input, this specifies what user the target program will
              be run as so that it is easy to find and repair anything that
              may have been scribbled across your file system. This option was
              designed to be used in conjuntion with the --chroot option and
              will only work if fuzz is run as root.


       -V, --version
              Print the version of fuzz and exit.


       -x. --maxargs NUMARGS
              This is to set the maximum number of arguments that are passed
              to each invocation of the target program.


       -y, --maxarglen ARGLEN
              Sets the maximum length of an arguments passed to the target
              program.


EXAMPLES
       Check grep:

              fuzz grep foo

       Run program with different user:

              fuzz --chroot --user nobody cpio -i

       When program is not in path, use absolute patch to access it:

              fuzz ./src/myprogram


BUGS
       The random arg functions doesn't work very well right now. The
       arguments passed are so random that the program usually just prints out
       the usage message and then terminates. This will become much more
       useful later when we are mating data sets with the intention of
       maximizing code coverage.


AUTHORS
       Ben Woodard <ben@valinux.com>



3rd Berkeley Distribution      November 3, 1999                        FUZZ(1)