1# Fuzzer for [email protected] 2 3## Plugin Design Considerations 4The fuzzer plugin for [email protected] is designed based on the understanding of the source code and tries to achieve the following: 5 6##### Maximize code coverage 71. The configuration parameters are not hardcoded, but instead selected based on 8incoming data. This ensures more code paths are reached by the fuzzer. 9 102. A new library *'libbt-vendor-fuzz.so'* is created that implements functions of `bt_vendor_interface_t` and calls them in order to maximize the code coverage 11 12[email protected] supports the following parameters: 13 141. Bluetooth Address (parameter name: `btAddress`) 15 16| Parameter| Valid Values| Configured Value| 17|------------- |-------------| ----- | 18| `btAddress` | Values inside array ranges from `0x0` to `0xFF`| Value obtained from FuzzedDataProvider| 19 20This also ensures that the plugin is always deterministic for any given input. 21 22##### Maximize utilization of input data 23The plugin feeds the entire input data to the module. 24This ensures that the plugin tolerates any kind of input (empty, huge, 25malformed, etc) and doesnt `exit()` on any input and thereby increasing the 26chance of identifying vulnerabilities. 27 28## Build 29 30This describes steps to build bluetoothV1.0_fuzzer binary. 31 32### Android 33 34#### Steps to build 35Build the fuzzer 36``` 37 $ mm -j$(nproc) bluetoothV1.0_fuzzer 38``` 39#### Steps to run 40To run on device 41``` 42 $ adb sync data 43 $ adb shell LD_LIBRARY_PATH=/data/fuzz/${TARGET_ARCH}/lib/ /data/fuzz/${TARGET_ARCH}/bluetoothV1.0_fuzzer/bluetoothV1.0_fuzzer 44``` 45 46## References: 47 * http://llvm.org/docs/LibFuzzer.html 48 * https://github.com/google/oss-fuzz 49