1*ec779b8eSAndroid Build Coastguard Worker# Fuzzer for libmediametricsservice 2*ec779b8eSAndroid Build Coastguard Worker 3*ec779b8eSAndroid Build Coastguard Worker## Plugin Design Considerations 4*ec779b8eSAndroid Build Coastguard WorkerThe fuzzer plugin for libmediametricsservice is designed based on the 5*ec779b8eSAndroid Build Coastguard Workerunderstanding of the service and tries to achieve the following: 6*ec779b8eSAndroid Build Coastguard Worker 7*ec779b8eSAndroid Build Coastguard Worker##### Maximize code coverage 8*ec779b8eSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 9*ec779b8eSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 10*ec779b8eSAndroid Build Coastguard Worker 11*ec779b8eSAndroid Build Coastguard WorkerMedia Metrics Service contains the following modules: 12*ec779b8eSAndroid Build Coastguard Worker1. Media Metrics Item Manipulation (module name: `Item`) 13*ec779b8eSAndroid Build Coastguard Worker2. Media Metrics Time Machine Storage (module name: `TimeMachineStorage`) 14*ec779b8eSAndroid Build Coastguard Worker3. Media Metrics Transaction Log (module name: `TransactionLog`) 15*ec779b8eSAndroid Build Coastguard Worker4. Media Metrics Analytics Action (module name: `AnalyticsAction`) 16*ec779b8eSAndroid Build Coastguard Worker5. Media Metrics Audio Analytics (module name: `AudioAnalytics`) 17*ec779b8eSAndroid Build Coastguard Worker6. Media Metrics Timed Action (module name: `TimedAction`) 18*ec779b8eSAndroid Build Coastguard Worker 19*ec779b8eSAndroid Build Coastguard Worker| Module| Valid Input Values| Configured Value| 20*ec779b8eSAndroid Build Coastguard Worker|------------- |-------------| ----- | 21*ec779b8eSAndroid Build Coastguard Worker| `Item` | Key: `std::string`. Values: `INT32_MIN` to `INT32_MAX`, `INT64_MIN` to `INT64_MAX`, `std::string`, `double`, `pair<INT32_MIN to INT32_MAX, INT32_MIN to INT32_MAX>` | Value obtained from FuzzedDataProvider | 22*ec779b8eSAndroid Build Coastguard Worker| `TimeMachineStorage` | Key: `std::string`. Values: `INT32_MIN` to `INT32_MAX`, `INT64_MIN` to `INT64_MAX`, `std::string`, `double`, `pair<INT32_MIN to INT32_MAX, INT32_MIN to INT32_MAX>` | Value obtained from FuzzedDataProvider | 23*ec779b8eSAndroid Build Coastguard Worker| `TranscationLog` | `mediametrics::Item` | `mediametrics::Item` created by obtaining values from FuzzedDataProvider| 24*ec779b8eSAndroid Build Coastguard Worker| `AnalyticsAction` | URL: `std::string` ending with .event, Value: `std::string`, action: A function | URL and Values obtained from FuzzedDataProvider, a placeholder function was passed as action| 25*ec779b8eSAndroid Build Coastguard Worker| `AudioAnalytics` | `mediametrics::Item` | `mediametrics::Item` created by obtaining values from FuzzedDataProvider| 26*ec779b8eSAndroid Build Coastguard Worker| `TimedAction` | time: `std::chrono::seconds`, function: `std::function` | `std::chrono::seconds` : value obtained from FuzzedDataProvider, `std::function`: a placeholder function was used. | 27*ec779b8eSAndroid Build Coastguard Worker 28*ec779b8eSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 29*ec779b8eSAndroid Build Coastguard Worker 30*ec779b8eSAndroid Build Coastguard Worker## Build 31*ec779b8eSAndroid Build Coastguard Worker 32*ec779b8eSAndroid Build Coastguard WorkerThis describes steps to build mediametrics_service_fuzzer binary. 33*ec779b8eSAndroid Build Coastguard Worker 34*ec779b8eSAndroid Build Coastguard Worker### Android 35*ec779b8eSAndroid Build Coastguard Worker 36*ec779b8eSAndroid Build Coastguard Worker#### Steps to build 37*ec779b8eSAndroid Build Coastguard WorkerBuild the fuzzer 38*ec779b8eSAndroid Build Coastguard Worker``` 39*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) mediametrics_service_fuzzer 40*ec779b8eSAndroid Build Coastguard Worker``` 41*ec779b8eSAndroid Build Coastguard Worker 42*ec779b8eSAndroid Build Coastguard Worker#### Steps to run 43*ec779b8eSAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some files to that folder 44*ec779b8eSAndroid Build Coastguard WorkerPush this directory to device. 45*ec779b8eSAndroid Build Coastguard Worker 46*ec779b8eSAndroid Build Coastguard WorkerTo run on device 47*ec779b8eSAndroid Build Coastguard Worker``` 48*ec779b8eSAndroid Build Coastguard Worker $ adb sync data 49*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/mediametrics_service_fuzzer/mediametrics_service_fuzzer CORPUS_DIR 50*ec779b8eSAndroid Build Coastguard Worker``` 51*ec779b8eSAndroid Build Coastguard Worker 52*ec779b8eSAndroid Build Coastguard Worker## References: 53*ec779b8eSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 54*ec779b8eSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 55