Man Linux: Main Page and Category List


       fuzz - stress test programs


       fuzz   [-t|--timeout  timeinsecs]  [-p|--printable]  [-n|--newlines  N]
       [-l|--length totlen] [-m|--maxline maxlinelen] [-r|--runcount  numruns]
       [-b|--bytes]    [-c|--chroot]    [-u|--user    username]    [-a|--args]
       [-o|--omitdata]   [-e|--execute   filename]   [-x|--maxargs    numargs]
       [-d|--dontask]  [-y|--mararglen  arglen] [-V|--version] [-i|--priority]
       target targetarg...


       fuzz is a program designed to find bugs in other programs. It does this
       by  doing  a  form  of  black  box testing. It does this by running the
       target program multiple times and passing it random  input.  Right  now
       this  can  come  from  one  of  two  places, stdin and the command line
       arguments. Testing completes whenever the program either the  requested
       number of runs finishes successufully or the program crashes.

       Any  arguments  following the target program are passed directly to the
       target program.

       NOTE: If the program is not in PATH,  it  must  be  referred  to  using
       absolute path.

       -a, --args
              In  addition  to  passing  random  data  via  stdin, pass random
              command line arguments. This simply sets the  number  or  random
              arguments to be passed to 256. See the BUGS section.

       -b, --bytes
              In  addition  to  counting  through  the  number  of runs. Count
              through the bytes being sent through stdin to the program.  This
              option  really  serves  no  purpose  other than making something
              interesting to watch.

       -c, --chroot
              Since there is no telling what a  program  will  do  when  given
              random input. this allows a program to be sort of caged while it
              is run so that  the  damage  that  it  may  be  able  to  do  is
              minimized.  This  requires that the fuzz be run as root. It will
              drop privlages before it runs the test program. This  option  is
              best  used  in  conjunction  with  the --user option. This often
              times requires that a program is statically linked.

       -d, --dontask
              In the cases where the target program is  for  sure  part  of  a
              package  and  the  packaging information will provide the needed
              version information then you can use this option to avoid  being
              asked what the version is.

       -i, --priority
              Run at a specified priority.

       -l, --length LENGTH
              The  length  in  bytes  of the data stream to pass through stdin
              into the target program. The default length is 100K.

       -m, --maxline MAXLINELEN
              Specify the maximum line length within the  random  data  stream
              passed into stdin.

       -n, --newlines N
              Include random N newlines in the input stream.

       -o, --omitdata
              Some  programs don’t take input from stdin. They only take input
              from the command line arguments. If this is the case simply  use
              the --omitdata option.

       -p, --printable
              This  limits  both  the  stdin and the command line arguments to
              only printable characters. By default fuzz passes  fully  random
              bytes into the target program.

       -r, --runcount RUNCOUNT
              The  number  of  times to run the target program. The default is

       -t, --timeout TIME
              This sets the number of seconds that the fuzz will wait for  the
              other  program  before  it assumes that the program is hung. The
              default value is 120 seconds. This is sensing of when a  program
              is hung is not entirely reliable. See the BUGS section.

       -u, --user USERNAME
              Since  there  is  no  telling  what a program will do when given
              random input, this specifies what user the target  program  will
              be  run  as  so that it is easy to find and repair anything that
              may have been scribbled across your file system. This option was
              designed  to  be used in conjuntion with the --chroot option and
              will only work if fuzz is run as root.

       -V, --version
              Print the version of fuzz and exit.

       -x. --maxargs NUMARGS
              This is to set the maximum number of arguments that  are  passed
              to each invocation of the target program.

       -y, --maxarglen ARGLEN
              Sets  the  maximum  length  of an arguments passed to the target


       Check grep:

              fuzz grep foo

       Run program with different user:

              fuzz --chroot --user nobody cpio -i

       When program is not in path, use absolute patch to access it:

              fuzz ./src/myprogram


       The random  arg  functions  doesn’t  work  very  well  right  now.  The
       arguments passed are so random that the program usually just prints out
       the usage message and then  terminates.  This  will  become  much  more
       useful  later  when  we  are  mating  data  sets  with the intention of
       maximizing code coverage.


       Ben Woodard <>