Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / refs/heads/android-15 / . / keystore / tests / fuzzer
tree: 55d7301c14709554f5ab9286791c031dd704a60b [path history] [tgz]
  1. Android.bp
  2. keystoreApplicationId_fuzzer.cpp
  3. keystoreAttestationId_fuzzer.cpp
  4. keystoreCommon.h
  5. keystoreGetWifiHidl_fuzzer.cpp
  6. keystorePackageInfo_fuzzer.cpp
  7. keystoreSignature_fuzzer.cpp
  8. README.md
keystore/tests/fuzzer/README.md

Fuzzer for libkeystore

Table of contents

Fuzzer for libkeystore-get-wifi-hidl

Plugin Design Considerations

The fuzzer plugin for libkeystore-get-wifi-hidl is designed based on the understanding of the library and tries to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

libkeystore-get-wifi-hidl supports the following parameters:

  1. Key (parameter name: key)
ParameterValid ValuesConfigured Value
keyStringValue obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Maximize utilization of input data

The plugin feeds the entire input data to the libkeystore-get-wifi-hidl module. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build keystoreGetWifiHidl_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) keystoreGetWifiHidl_fuzzer

Steps to run

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreGetWifiHidl_fuzzer/keystoreGetWifiHidl_fuzzer

Fuzzer for libkeystore_attestation_application_id

Plugin Design Considerations

The fuzzer plugin for libkeystore-attestation-application-id are designed based on the understanding of the library and tries to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

libkeystore-attestation-application-id supports the following parameters:

  1. Package Name (parameter name: packageName)
  2. Version Code (parameter name: versionCode)
  3. Uid (parameter name: uid)
ParameterValid ValuesConfigured Value
packageNameStringValue obtained from FuzzedDataProvider
versionCodeINT64_MIN to INT64_MAXValue obtained from FuzzedDataProvider
uid0 to 1000Value obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Maximize utilization of input data

The plugins feed the entire input data to the libkeystore_attestation_application_id module. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build keystoreSignature_fuzzer, keystorePackageInfo_fuzzer, keystoreApplicationId_fuzzer and keystoreAttestationId_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) keystoreSignature_fuzzer
  $ mm -j$(nproc) keystorePackageInfo_fuzzer
  $ mm -j$(nproc) keystoreApplicationId_fuzzer
  $ mm -j$(nproc) keystoreAttestationId_fuzzer

Steps to run

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreSignature_fuzzer/keystoreSignature_fuzzer
  $ adb shell /data/fuzz/${TARGET_ARCH}/keystorePackageInfo_fuzzer/keystorePackageInfo_fuzzer
  $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreApplicationId_fuzzer/keystoreApplicationId_fuzzer
  $ adb shell /data/fuzz/${TARGET_ARCH}/keystoreAttestationId_fuzzer/keystoreAttestationId_fuzzer

References: