1*758e9fbaSOystein Eftevaag# Fuzzing 2*758e9fbaSOystein Eftevaag 3*758e9fbaSOystein EftevaagFuzz tests use [libFuzzer](http://llvm.org/docs/LibFuzzer.html) to test the SAPI 4*758e9fbaSOystein Eftevaag`_Prepare` and `_Complete` functions. 5*758e9fbaSOystein Eftevaag 6*758e9fbaSOystein EftevaagBuilding fuzz tests can be enabled using the `--with-fuzzing=` option. For which 7*758e9fbaSOystein Eftevaagthere are two possible values. 8*758e9fbaSOystein Eftevaag 9*758e9fbaSOystein Eftevaag- [libfuzzer](#libfuzzer) 10*758e9fbaSOystein Eftevaag- [ossfuzz](#oss-fuzz) 11*758e9fbaSOystein Eftevaag 12*758e9fbaSOystein Eftevaag## libFuzzer 13*758e9fbaSOystein Eftevaag 14*758e9fbaSOystein EftevaaglibFuzzer tests can be built natively or using the docker `fuzzing` target. 15*758e9fbaSOystein Eftevaag 16*758e9fbaSOystein Eftevaag### Natively 17*758e9fbaSOystein Eftevaag 18*758e9fbaSOystein EftevaagBuild the fuzz tests by setting `--with-fuzzing=libfuzzer` and statically 19*758e9fbaSOystein Eftevaaglinking to the fuzzing TCTI. 20*758e9fbaSOystein Eftevaag 21*758e9fbaSOystein Eftevaag```console 22*758e9fbaSOystein Eftevaagexport GEN_FUZZ=1 23*758e9fbaSOystein Eftevaag 24*758e9fbaSOystein Eftevaag./bootstrap 25*758e9fbaSOystein Eftevaag./configure \ 26*758e9fbaSOystein Eftevaag CC=clang \ 27*758e9fbaSOystein Eftevaag CXX=clang++ \ 28*758e9fbaSOystein Eftevaag --enable-debug \ 29*758e9fbaSOystein Eftevaag --with-fuzzing=libfuzzer \ 30*758e9fbaSOystein Eftevaag --enable-tcti-fuzzing \ 31*758e9fbaSOystein Eftevaag --enable-tcti-device=no \ 32*758e9fbaSOystein Eftevaag --enable-tcti-mssim=no \ 33*758e9fbaSOystein Eftevaag --with-maxloglevel=none \ 34*758e9fbaSOystein Eftevaag --disable-shared 35*758e9fbaSOystein Eftevaag 36*758e9fbaSOystein Eftevaagmake -j $(nproc) check 37*758e9fbaSOystein Eftevaag``` 38*758e9fbaSOystein Eftevaag 39*758e9fbaSOystein EftevaagRun the fuzz tests by executing any binary ending in `.fuzz` in `test/fuzz/`. 40*758e9fbaSOystein Eftevaag 41*758e9fbaSOystein Eftevaag```console 42*758e9fbaSOystein Eftevaag./test/fuzz/Tss2_Sys_ZGen_2Phase_Prepare.fuzz 43*758e9fbaSOystein Eftevaag``` 44*758e9fbaSOystein Eftevaag 45*758e9fbaSOystein Eftevaag### Docker 46*758e9fbaSOystein Eftevaag 47*758e9fbaSOystein EftevaagBuild the fuzz targets and check that they work by building the `fuzzing` docker 48*758e9fbaSOystein Eftevaagtarget. 49*758e9fbaSOystein Eftevaag 50*758e9fbaSOystein Eftevaag```console 51*758e9fbaSOystein Eftevaagdocker build --target fuzzing -t tpm2-tss:fuzzing . 52*758e9fbaSOystein Eftevaag``` 53*758e9fbaSOystein Eftevaag 54*758e9fbaSOystein EftevaagRun a fuzz target and mount a directory as a volume into the container where it 55*758e9fbaSOystein Eftevaagshould store its findings should it produce any. 56*758e9fbaSOystein Eftevaag 57*758e9fbaSOystein Eftevaag```console 58*758e9fbaSOystein Eftevaagdocker run --rm -ti tpm2-tss:fuzzing \ 59*758e9fbaSOystein Eftevaag -v "${PWD}/findings_dir":/artifacts \ 60*758e9fbaSOystein Eftevaag ./test/fuzz/Tss2_Sys_PolicyPhysicalPresence_Prepare.fuzz \ 61*758e9fbaSOystein Eftevaag -artifact_prefix=/artifacts 62*758e9fbaSOystein Eftevaag``` 63*758e9fbaSOystein Eftevaag 64*758e9fbaSOystein Eftevaag## OSS Fuzz 65*758e9fbaSOystein Eftevaag 66*758e9fbaSOystein EftevaagOSS fuzz integration can be found under the 67*758e9fbaSOystein Eftevaag[tpm2-tss](https://github.com/google/oss-fuzz/tree/master/projects/tpm2-tss) 68*758e9fbaSOystein Eftevaagproject in OSS Fuzz. 69*758e9fbaSOystein Eftevaag 70*758e9fbaSOystein EftevaagThe `Dockerfile` there builds the dependencies. `build.sh` Runs the compilation 71*758e9fbaSOystein Eftevaagas seen under the `fuzzing` target of the `Dockerfile` in this repo, only 72*758e9fbaSOystein Eftevaag`--with-fuzzing=ossfuzz`. 73*758e9fbaSOystein Eftevaag 74*758e9fbaSOystein Eftevaag## Hacking 75*758e9fbaSOystein Eftevaag 76*758e9fbaSOystein EftevaagCurrently only fuzz targets for the System API have been implemented. 77*758e9fbaSOystein Eftevaag 78*758e9fbaSOystein Eftevaag### TCTI 79*758e9fbaSOystein Eftevaag 80*758e9fbaSOystein EftevaagThe fuzzing TCTI is used as a temporary storage location for the `Data` and 81*758e9fbaSOystein Eftevaag`Size` arguments of `LLVMFuzzerTestOneInput`. 82*758e9fbaSOystein Eftevaag 83*758e9fbaSOystein EftevaagFor `_Complete` calls the TCTI uses `Data` and `Size` as the response buffer and 84*758e9fbaSOystein Eftevaagresponse size for `TSS2_TCTI_RECEIVE`. 85*758e9fbaSOystein Eftevaag 86*758e9fbaSOystein Eftevaag### SAPI 87*758e9fbaSOystein Eftevaag 88*758e9fbaSOystein EftevaagFuzz tests are generated via `script/gen_fuzz.py`. 89*758e9fbaSOystein Eftevaag 90*758e9fbaSOystein EftevaagSetting `GEN_FUZZ=1` when running `bootstrap` will run `script/gen_fuzz.py`. 91*758e9fbaSOystein Eftevaag 92*758e9fbaSOystein Eftevaag```console 93*758e9fbaSOystein EftevaagGEN_FUZZ=1 ./bootstrap 94*758e9fbaSOystein Eftevaag``` 95*758e9fbaSOystein Eftevaag 96*758e9fbaSOystein Eftevaag`script/gen_fuzz.py` reads the SAPI header file and generates a fuzz target for 97*758e9fbaSOystein Eftevaageach `_Prepare` and `_Complete` call using similar templates. 98*758e9fbaSOystein Eftevaag 99*758e9fbaSOystein EftevaagFor `_Prepare` calls the `fuzz_fill` function in the fuzzing TCTI will fill each 100*758e9fbaSOystein EftevaagTPM2 structure used can copy from `LLVMFuzzerTestOneInput`'s `Data` into it. 101