1*ec779b8eSAndroid Build Coastguard Worker# Fuzzer for libmediadrm 2*ec779b8eSAndroid Build Coastguard Worker 3*ec779b8eSAndroid Build Coastguard Worker## Plugin Design Considerations 4*ec779b8eSAndroid Build Coastguard WorkerThe fuzzer plugin for libmediadrm is designed based on the understanding of the 5*ec779b8eSAndroid Build Coastguard Workerlibrary and tries to achieve the following: 6*ec779b8eSAndroid Build Coastguard Worker 7*ec779b8eSAndroid Build Coastguard Worker##### Maximize code coverage 8*ec779b8eSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 9*ec779b8eSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 10*ec779b8eSAndroid Build Coastguard Worker 11*ec779b8eSAndroid Build Coastguard Workerlibmediadrm supports the following parameters: 12*ec779b8eSAndroid Build Coastguard Worker1. Security Level (parameter name: `securityLevel`) 13*ec779b8eSAndroid Build Coastguard Worker2. Mime Type (parameter name: `mimeType`) 14*ec779b8eSAndroid Build Coastguard Worker3. Key Type (parameter name: `keyType`) 15*ec779b8eSAndroid Build Coastguard Worker4. Crypto Mode (parameter name: `cryptoMode`) 16*ec779b8eSAndroid Build Coastguard Worker 17*ec779b8eSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 18*ec779b8eSAndroid Build Coastguard Worker|------------- |-------------| ----- | 19*ec779b8eSAndroid Build Coastguard Worker| `securityLevel` | 0.`DrmPlugin::kSecurityLevelUnknown` 1.`DrmPlugin::kSecurityLevelMax` 2.`DrmPlugin::kSecurityLevelSwSecureCrypto` 3.`DrmPlugin::kSecurityLevelSwSecureDecode` 4.`DrmPlugin::kSecurityLevelHwSecureCrypto` 5.`DrmPlugin::kSecurityLevelHwSecureDecode` 6.`DrmPlugin::kSecurityLevelHwSecureAll`| Value obtained from FuzzedDataProvider in the range 0 to 6| 20*ec779b8eSAndroid Build Coastguard Worker| `mimeType` | 0.`video/mp4` 1.`video/mpeg` 2.`video/x-flv` 3.`video/mj2` 4.`video/3gp2` 5.`video/3gpp` 6.`video/3gpp2` 7.`audio/mp4` 8.`audio/mpeg` 9.`audio/aac` 10.`audio/3gp2` 11.`audio/3gpp` 12.`audio/3gpp2` 13.`video/unknown`| Value obtained from FuzzedDataProvider in the range 0 to 13| 21*ec779b8eSAndroid Build Coastguard Worker| `keyType` | 0.`DrmPlugin::kKeyType_Offline` 1.`DrmPlugin::kKeyType_Streaming` 2.`DrmPlugin::kKeyType_Release` | Value obtained from FuzzedDataProvider in the range 0 to 2| 22*ec779b8eSAndroid Build Coastguard Worker| `cryptoMode` | 0.`CryptoPlugin::kMode_Unencrypted` 1.`CryptoPlugin::kMode_AES_CTR` 2.`CryptoPlugin::kMode_AES_WV` 3.`CryptoPlugin::kMode_AES_CBC` | Value obtained from FuzzedDataProvider in the range 0 to 3| 23*ec779b8eSAndroid Build Coastguard Worker 24*ec779b8eSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 25*ec779b8eSAndroid Build Coastguard Worker 26*ec779b8eSAndroid Build Coastguard Worker##### Maximize utilization of input data 27*ec779b8eSAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the drm module. 28*ec779b8eSAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 29*ec779b8eSAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 30*ec779b8eSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 31*ec779b8eSAndroid Build Coastguard Worker 32*ec779b8eSAndroid Build Coastguard Worker## Build 33*ec779b8eSAndroid Build Coastguard Worker 34*ec779b8eSAndroid Build Coastguard WorkerThis describes steps to build mediadrm_fuzzer binary. 35*ec779b8eSAndroid Build Coastguard Worker 36*ec779b8eSAndroid Build Coastguard Worker### Android 37*ec779b8eSAndroid Build Coastguard Worker 38*ec779b8eSAndroid Build Coastguard Worker#### Steps to build 39*ec779b8eSAndroid Build Coastguard WorkerBuild the fuzzer 40*ec779b8eSAndroid Build Coastguard Worker``` 41*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) mediadrm_fuzzer 42*ec779b8eSAndroid Build Coastguard Worker``` 43*ec779b8eSAndroid Build Coastguard Worker#### Steps to run 44*ec779b8eSAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR 45*ec779b8eSAndroid Build Coastguard Worker``` 46*ec779b8eSAndroid Build Coastguard Worker $ adb shell mkdir CORPUS_DIR 47*ec779b8eSAndroid Build Coastguard Worker``` 48*ec779b8eSAndroid Build Coastguard WorkerTo run on device 49*ec779b8eSAndroid Build Coastguard Worker``` 50*ec779b8eSAndroid Build Coastguard Worker $ adb sync data 51*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/mediadrm_fuzzer/mediadrm_fuzzer CORPUS_DIR 52*ec779b8eSAndroid Build Coastguard Worker``` 53*ec779b8eSAndroid Build Coastguard Worker 54*ec779b8eSAndroid Build Coastguard Worker## References: 55*ec779b8eSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 56*ec779b8eSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 57