Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / eadfa7a54a215dc06869c87f98c20c3f30352d4e / . / security / keymint / support / fuzzer
tree: 82d05be1cae0cd5e7f1c49287966ee78b66155ba [path history] [tgz]
  1. Android.bp
  2. keymint_attestation_fuzzer.cpp
  3. keymint_authSet_fuzzer.cpp
  4. keymint_common.h
  5. keymint_remote_prov_fuzzer.cpp
  6. keymint_rkpsupport_fuzzer.cpp
  7. README.md
security/keymint/support/fuzzer/README.md

Fuzzers for libkeymint_support

Plugin Design Considerations

The fuzzer plugins for libkeymint_support are designed based on the understanding of the source code and try to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzers.

Maximize utilization of input data

The plugins feed the entire input data to the module. This ensures that the plugins tolerate any kind of input (empty, huge, malformed, etc) and dont exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Table of contents

Fuzzer for KeyMintAttestation

KeyMintAttestation supports the following parameters:

  1. PaddingMode(parameter name: "padding")
  2. Digest(parameter name: "digest")
  3. Index(parameter name: "idx")
  4. Timestamp(parameter name: "timestamp")
  5. AuthSet(parameter name: "authSet")
  6. IssuerSubjectName(parameter name: "issuerSubjectName")
  7. AttestationChallenge(parameter name: "challenge")
  8. AttestationApplicationId(parameter name: "id")
  9. EcCurve(parameter name: "ecCurve")
  10. BlockMode(parameter name: "blockmode")
  11. minMacLength(parameter name: "minMacLength")
  12. macLength(parameter name: "macLength")
ParameterValid ValuesConfigured Value
paddingPaddingModeValue obtained from FuzzedDataProvider
digestDigestValue obtained from FuzzedDataProvider
idxsize_tValue obtained from FuzzedDataProvider
timestampuint64_tValue obtained from FuzzedDataProvider
authSetuint32_tValue obtained from FuzzedDataProvider
issuerSubjectNameuint8_tValue obtained from FuzzedDataProvider
AttestationChallengestringValue obtained from FuzzedDataProvider
AttestationApplicationIdstringValue obtained from FuzzedDataProvider
blockmodeBlockModeValue obtained from FuzzedDataProvider
minMacLengthuint32_tValue obtained from FuzzedDataProvider
macLengthuint32_tValue obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_attestation_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer

Fuzzer for KeyMintAuthSet

KeyMintAuthSet supports the following parameters:

  1. AuthorizationSet(parameter name: "authSet")
  2. AuthorizationSet(parameter name: "params")
  3. KeyParameters(parameter name: "numKeyParam")
  4. Tag(parameter name: "tag")
ParameterValid ValuesConfigured Value
authSetAuthorizationSetValue obtained from FuzzedDataProvider
paramsAuthorizationSetValue obtained from FuzzedDataProvider
numKeyParamsize_tValue obtained from FuzzedDataProvider
tagTagValue obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_authSet_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer

Fuzzer for KeyMintRemoteProv

KeyMintRemoteProv supports the following parameters:

  1. ChallengeSize(parameter name: "challengeSize")
  2. Challenge(parameter name: "challenge")
  3. NumKeys(parameter name: "numKeys")
ParameterValid ValuesConfigured Value
challengeSizeuint8_tValue obtained from FuzzedDataProvider
challengestd::vector<uint8_t>Value obtained from FuzzedDataProvider
numKeysuint8_tValue obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_remote_prov_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer

Fuzzer for KeyMintRemoteKeyProvSupport

KeyMintRemoteKeyProvSupport supports the following parameters:

  1. SupportedEekCurve(parameter name: "supportedEekCurve")
  2. Length(parameter name: "length")
  3. SerialNumberProp(parameter name: "serialNoProp")
  4. InstanceName(parameter name: "instanceName")
  5. Value(parameter name: "value")
ParameterValid ValuesConfigured Value
supportedEekCurveuint8_tValue obtained from FuzzedDataProvider
lengthuint8_tValue obtained from FuzzedDataProvider
serialNoPropstringValue obtained from FuzzedDataProvider
instanceNamestringValue obtained from FuzzedDataProvider
valueuint8_tValue obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_rkpsupport_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_rkpsupport_fuzzer/keymint_rkpsupport_fuzzer