1*e1997b9aSAndroid Build Coastguard Worker# Fuzzer for libkeystore 2*e1997b9aSAndroid Build Coastguard Worker## Table of contents 3*e1997b9aSAndroid Build Coastguard Worker+ [libkeystore-get-wifi-hidl](#libkeystore-get-wifi-hidl) 4*e1997b9aSAndroid Build Coastguard Worker+ [libkeystore_attestation_application_id](#libkeystore_attestation_application_id) 5*e1997b9aSAndroid Build Coastguard Worker 6*e1997b9aSAndroid Build Coastguard Worker# <a name="libkeystore-get-wifi-hidl"></a> Fuzzer for libkeystore-get-wifi-hidl 7*e1997b9aSAndroid Build Coastguard Worker## Plugin Design Considerations 8*e1997b9aSAndroid Build Coastguard WorkerThe fuzzer plugin for libkeystore-get-wifi-hidl is designed based on the understanding of the library and tries to achieve the following: 9*e1997b9aSAndroid Build Coastguard Worker 10*e1997b9aSAndroid Build Coastguard Worker##### Maximize code coverage 11*e1997b9aSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 12*e1997b9aSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 13*e1997b9aSAndroid Build Coastguard Worker 14*e1997b9aSAndroid Build Coastguard Workerlibkeystore-get-wifi-hidl supports the following parameters: 15*e1997b9aSAndroid Build Coastguard Worker1. Key (parameter name: `key`) 16*e1997b9aSAndroid Build Coastguard Worker 17*e1997b9aSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 18*e1997b9aSAndroid Build Coastguard Worker|------------- |-------------| ----- | 19*e1997b9aSAndroid Build Coastguard Worker| `key` | `String` | Value obtained from FuzzedDataProvider| 20*e1997b9aSAndroid Build Coastguard Worker 21*e1997b9aSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 22*e1997b9aSAndroid Build Coastguard Worker 23*e1997b9aSAndroid Build Coastguard Worker##### Maximize utilization of input data 24*e1997b9aSAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the libkeystore-get-wifi-hidl module. 25*e1997b9aSAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 26*e1997b9aSAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 27*e1997b9aSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 28*e1997b9aSAndroid Build Coastguard Worker 29*e1997b9aSAndroid Build Coastguard Worker## Build 30*e1997b9aSAndroid Build Coastguard Worker 31*e1997b9aSAndroid Build Coastguard WorkerThis describes steps to build keystoreGetWifiHidl_fuzzer binary. 32*e1997b9aSAndroid Build Coastguard Worker 33*e1997b9aSAndroid Build Coastguard Worker### Android 34*e1997b9aSAndroid Build Coastguard Worker 35*e1997b9aSAndroid Build Coastguard Worker#### Steps to build 36*e1997b9aSAndroid Build Coastguard WorkerBuild the fuzzer 37*e1997b9aSAndroid Build Coastguard Worker``` 38*e1997b9aSAndroid Build Coastguard Worker $ mm -j$(nproc) keystoreGetWifiHidl_fuzzer 39*e1997b9aSAndroid Build Coastguard Worker``` 40*e1997b9aSAndroid Build Coastguard Worker#### Steps to run 41*e1997b9aSAndroid Build Coastguard Worker 42*e1997b9aSAndroid Build Coastguard WorkerTo run on device 43*e1997b9aSAndroid Build Coastguard Worker``` 44*e1997b9aSAndroid Build Coastguard Worker $ adb sync data 45*e1997b9aSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreGetWifiHidl_fuzzer/keystoreGetWifiHidl_fuzzer 46*e1997b9aSAndroid Build Coastguard Worker``` 47*e1997b9aSAndroid Build Coastguard Worker 48*e1997b9aSAndroid Build Coastguard Worker# <a name="libkeystore_attestation_application_id"></a> Fuzzer for libkeystore_attestation_application_id 49*e1997b9aSAndroid Build Coastguard Worker## Plugin Design Considerations 50*e1997b9aSAndroid Build Coastguard WorkerThe fuzzer plugin for libkeystore-attestation-application-id are designed based on the understanding of the library and tries to achieve the following: 51*e1997b9aSAndroid Build Coastguard Worker 52*e1997b9aSAndroid Build Coastguard Worker##### Maximize code coverage 53*e1997b9aSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 54*e1997b9aSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 55*e1997b9aSAndroid Build Coastguard Worker 56*e1997b9aSAndroid Build Coastguard Workerlibkeystore-attestation-application-id supports the following parameters: 57*e1997b9aSAndroid Build Coastguard Worker1. Package Name (parameter name: `packageName`) 58*e1997b9aSAndroid Build Coastguard Worker2. Version Code (parameter name: `versionCode`) 59*e1997b9aSAndroid Build Coastguard Worker3. Uid (parameter name: `uid`) 60*e1997b9aSAndroid Build Coastguard Worker 61*e1997b9aSAndroid Build Coastguard Worker 62*e1997b9aSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 63*e1997b9aSAndroid Build Coastguard Worker|------------- |-------------| ----- | 64*e1997b9aSAndroid Build Coastguard Worker| `packageName` | `String` | Value obtained from FuzzedDataProvider| 65*e1997b9aSAndroid Build Coastguard Worker| `versionCode` | `INT64_MIN` to `INT64_MAX` | Value obtained from FuzzedDataProvider| 66*e1997b9aSAndroid Build Coastguard Worker| `uid` | `0` to `1000` | Value obtained from FuzzedDataProvider| 67*e1997b9aSAndroid Build Coastguard Worker 68*e1997b9aSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 69*e1997b9aSAndroid Build Coastguard Worker 70*e1997b9aSAndroid Build Coastguard Worker##### Maximize utilization of input data 71*e1997b9aSAndroid Build Coastguard WorkerThe plugins feed the entire input data to the libkeystore_attestation_application_id module. 72*e1997b9aSAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 73*e1997b9aSAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 74*e1997b9aSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 75*e1997b9aSAndroid Build Coastguard Worker 76*e1997b9aSAndroid Build Coastguard Worker## Build 77*e1997b9aSAndroid Build Coastguard Worker 78*e1997b9aSAndroid Build Coastguard WorkerThis describes steps to build keystoreSignature_fuzzer, keystorePackageInfo_fuzzer, keystoreApplicationId_fuzzer and keystoreAttestationId_fuzzer binary. 79*e1997b9aSAndroid Build Coastguard Worker 80*e1997b9aSAndroid Build Coastguard Worker### Android 81*e1997b9aSAndroid Build Coastguard Worker 82*e1997b9aSAndroid Build Coastguard Worker#### Steps to build 83*e1997b9aSAndroid Build Coastguard WorkerBuild the fuzzer 84*e1997b9aSAndroid Build Coastguard Worker``` 85*e1997b9aSAndroid Build Coastguard Worker $ mm -j$(nproc) keystoreSignature_fuzzer 86*e1997b9aSAndroid Build Coastguard Worker $ mm -j$(nproc) keystorePackageInfo_fuzzer 87*e1997b9aSAndroid Build Coastguard Worker $ mm -j$(nproc) keystoreApplicationId_fuzzer 88*e1997b9aSAndroid Build Coastguard Worker $ mm -j$(nproc) keystoreAttestationId_fuzzer 89*e1997b9aSAndroid Build Coastguard Worker``` 90*e1997b9aSAndroid Build Coastguard Worker#### Steps to run 91*e1997b9aSAndroid Build Coastguard Worker 92*e1997b9aSAndroid Build Coastguard WorkerTo run on device 93*e1997b9aSAndroid Build Coastguard Worker``` 94*e1997b9aSAndroid Build Coastguard Worker $ adb sync data 95*e1997b9aSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreSignature_fuzzer/keystoreSignature_fuzzer 96*e1997b9aSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/keystorePackageInfo_fuzzer/keystorePackageInfo_fuzzer 97*e1997b9aSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreApplicationId_fuzzer/keystoreApplicationId_fuzzer 98*e1997b9aSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreAttestationId_fuzzer/keystoreAttestationId_fuzzer 99*e1997b9aSAndroid Build Coastguard Worker``` 100*e1997b9aSAndroid Build Coastguard Worker 101*e1997b9aSAndroid Build Coastguard Worker## References: 102*e1997b9aSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 103*e1997b9aSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 104