1# Fuzzer for libkeystore 2## Table of contents 3+ [libkeystore-get-wifi-hidl](#libkeystore-get-wifi-hidl) 4+ [libkeystore_attestation_application_id](#libkeystore_attestation_application_id) 5 6# <a name="libkeystore-get-wifi-hidl"></a> Fuzzer for libkeystore-get-wifi-hidl 7## Plugin Design Considerations 8The fuzzer plugin for libkeystore-get-wifi-hidl is designed based on the understanding of the library and tries to achieve the following: 9 10##### Maximize code coverage 11The configuration parameters are not hardcoded, but instead selected based on 12incoming data. This ensures more code paths are reached by the fuzzer. 13 14libkeystore-get-wifi-hidl supports the following parameters: 151. Key (parameter name: `key`) 16 17| Parameter| Valid Values| Configured Value| 18|------------- |-------------| ----- | 19| `key` | `String` | Value obtained from FuzzedDataProvider| 20 21This also ensures that the plugin is always deterministic for any given input. 22 23##### Maximize utilization of input data 24The plugin feeds the entire input data to the libkeystore-get-wifi-hidl module. 25This ensures that the plugin tolerates any kind of input (empty, huge, 26malformed, etc) and doesnt `exit()` on any input and thereby increasing the 27chance of identifying vulnerabilities. 28 29## Build 30 31This describes steps to build keystoreGetWifiHidl_fuzzer binary. 32 33### Android 34 35#### Steps to build 36Build the fuzzer 37``` 38 $ mm -j$(nproc) keystoreGetWifiHidl_fuzzer 39``` 40#### Steps to run 41 42To run on device 43``` 44 $ adb sync data 45 $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreGetWifiHidl_fuzzer/keystoreGetWifiHidl_fuzzer 46``` 47 48# <a name="libkeystore_attestation_application_id"></a> Fuzzer for libkeystore_attestation_application_id 49## Plugin Design Considerations 50The fuzzer plugin for libkeystore-attestation-application-id are designed based on the understanding of the library and tries to achieve the following: 51 52##### Maximize code coverage 53The configuration parameters are not hardcoded, but instead selected based on 54incoming data. This ensures more code paths are reached by the fuzzer. 55 56libkeystore-attestation-application-id supports the following parameters: 571. Package Name (parameter name: `packageName`) 582. Version Code (parameter name: `versionCode`) 593. Uid (parameter name: `uid`) 60 61 62| Parameter| Valid Values| Configured Value| 63|------------- |-------------| ----- | 64| `packageName` | `String` | Value obtained from FuzzedDataProvider| 65| `versionCode` | `INT64_MIN` to `INT64_MAX` | Value obtained from FuzzedDataProvider| 66| `uid` | `0` to `1000` | Value obtained from FuzzedDataProvider| 67 68This also ensures that the plugin is always deterministic for any given input. 69 70##### Maximize utilization of input data 71The plugins feed the entire input data to the libkeystore_attestation_application_id module. 72This ensures that the plugin tolerates any kind of input (empty, huge, 73malformed, etc) and doesnt `exit()` on any input and thereby increasing the 74chance of identifying vulnerabilities. 75 76## Build 77 78This describes steps to build keystoreSignature_fuzzer, keystorePackageInfo_fuzzer, keystoreApplicationId_fuzzer and keystoreAttestationId_fuzzer binary. 79 80### Android 81 82#### Steps to build 83Build the fuzzer 84``` 85 $ mm -j$(nproc) keystoreSignature_fuzzer 86 $ mm -j$(nproc) keystorePackageInfo_fuzzer 87 $ mm -j$(nproc) keystoreApplicationId_fuzzer 88 $ mm -j$(nproc) keystoreAttestationId_fuzzer 89``` 90#### Steps to run 91 92To run on device 93``` 94 $ adb sync data 95 $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreSignature_fuzzer/keystoreSignature_fuzzer 96 $ adb shell /data/fuzz/${TARGET_ARCH}/keystorePackageInfo_fuzzer/keystorePackageInfo_fuzzer 97 $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreApplicationId_fuzzer/keystoreApplicationId_fuzzer 98 $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreAttestationId_fuzzer/keystoreAttestationId_fuzzer 99``` 100 101## References: 102 * http://llvm.org/docs/LibFuzzer.html 103 * https://github.com/google/oss-fuzz 104