FUZZ(1)FUZZ(1)NAMEfuzz - stress test programs
SYNOPSISfuzz [-t|--timeout timeinsecs] [-p|--printable] [-n|--newlines]
[-l|--length totlen] [-m|--maxline maxlinelen] [-r|--runcount numruns]
[-b|--bytes] [-c|--chroot] [-u|--user username] [-a|--args] [-o|--omit‐
data] [-e|--execute filename] [-x|--maxargs numargs] [-d|--dontask]
[-y|--mararglen arglen] [-V|--version] [-i|--priority] target targe‐
targ...
DESCRIPTIONfuzz is a program designed to find bugs in other programs. It does this
by doing a form of black box testing. It does this by running the tar‐
get program multiple times and passing it random input. Right now this
can come from one of two places, stdin and the command line arguments.
Testing completes whenever the program either the requested number of
runs finishes successufully or the program crashes.
Any arguments following the target program are passed directly to the
target program.
OPTIONS
-t, --timeout TIME
This sets the number of seconds that the fuzz will wait for the
other program before it assumes that the program is hung. The
default value is 120 seconds. This is sensing of when a program
is hung is not entirely reliable. See the BUGS section.
-p, --printable
This limits both the stdin and the command line arguments to
only printable characters. By default fuzz passes fully random
bytes into the target program.
-n, --newlines
Include random newlines in the input stream.
-l, --length LENGTH
The length in bytes of the data stream to pass through stdin
into the target program. The default length is 100K.
-m, --maxline MAXLINELEN
Specify the maximum line length within the random data stream
passed into stdin.
-r, --runcount RUNCOUNT
The number of times to run the target program. The default is
10,000.
-b, --bytes
In addition to counting through the number of runs. Count
through the bytes being sent through stdin to the program. This
option really serves no purpose other than making something
interesting to watch.
-c, --chroot
Since there is no telling what a program will do when given ran‐
dom input. this allows a program to be sort of caged while it is
run so that the damage that it may be able to do is minimized.
This requires that the fuzz be run as root. It will drop
privlages before it runs the test program. This option is best
used in conjunction with the --user option. This often times
requires that a program is statically linked.
-u, --user USERNAME
Since there is no telling what a program will do when given ran‐
dom input, this specifies what user the target program will be
run as so that it is easy to find and repair anything that may
have been scribbled across your file system. This option was
designed to be used in conjuntion with the --chroot option and
will only work if fuzz is run as root.
-a, --args
In addition to passing random data via stdin, pass random com‐
mand line arguments. This simply sets the number or random argu‐
ments to be passed to 256. See the BUGS section.
-o, --omitdata
Some programs don't take input from stdin. They only take input
from the command line arguments. If this is the case simply use
the --omitdata option.
-x. --maxargs NUMARGS
This is to set the maximum number of arguments that are passed
to each invocation of the target program.
-y, --maxarglen ARGLEN
Sets the maximum length of an arguments passed to the target
program.
-V, --version
Print the version of fuzz and exit.
-i, --priority
Run at a specified priority.
-d, --dontask
In the cases where the target program is for sure part of a
package and the packaging information will provide the needed
version information then you can use this option to avoid being
asked what the version is.
EXAMPLESfuzz grep foo
fuzz-c -u nobody cpio -i
BUGS
The random arg functions doesn't work very well right now. The argu‐
ments passed are so random that the program usually just prints out the
usage message and then terminates. This will become much more useful
later when we are mating data sets with the intention of maximizing
code coverage.
AUTHORS
Ben Woodard <ben@valinux.com>
3rd Berkeley Distribution November 3, 1999 FUZZ(1)
