Merge "Added keymint_authSet_fuzzer" into main am: 7884619140 (14ae5a61) · Commits · e / os / android_hardware_interfaces

security/keymint/support/fuzzer/Android.bp

+10 −0

Original line number	Diff line number	Diff line
		@@ -57,3 +57,13 @@ cc_fuzz {
		"keymint_fuzzer_defaults",
		],
		}

		cc_fuzz {
		name: "keymint_authSet_fuzzer",
		srcs: [
		"keymint_authSet_fuzzer.cpp",
		],
		defaults: [
		"keymint_fuzzer_defaults",
		],
		}

security/keymint/support/fuzzer/README.md

+26 −0

Original line number	Diff line number	Diff line
		@@ -11,6 +11,7 @@ The plugins feed the entire input data to the module. This ensures that the plug

		## Table of contents
		+ [keymint_attestation_fuzzer](#KeyMintAttestation)
		+ [keymint_authSet_fuzzer](#KeyMintAuthSet)

		# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation
		KeyMintAttestation supports the following parameters:
		@@ -51,3 +52,28 @@ $ mm -j$(nproc) keymint_attestation_fuzzer
		$ adb sync data
		$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer
		```

		# <a name="KeyMintAuthSet"></a> Fuzzer for KeyMintAuthSet
		KeyMintAuthSet supports the following parameters:
		1. AuthorizationSet(parameter name: "authSet")
		2. AuthorizationSet(parameter name: "params")
		3. KeyParameters(parameter name: "numKeyParam")
		4. Tag(parameter name: "tag")

		\| Parameter\| Valid Values\| Configured Value\|
		\|------------- \|--------------\| -------------------- \|
		\|`authSet`\| `AuthorizationSet` \|Value obtained from FuzzedDataProvider\|
		\|`params`\| `AuthorizationSet` \|Value obtained from FuzzedDataProvider\|
		\|`numKeyParam`\| `size_t` \|Value obtained from FuzzedDataProvider\|
		\|`tag`\| `Tag` \|Value obtained from FuzzedDataProvider\|

		#### Steps to run
		1. Build the fuzzer
		```
		$ mm -j$(nproc) keymint_authSet_fuzzer
		```
		2. Run on device
		```
		$ adb sync data
		$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer
		```

security/keymint/support/fuzzer/keymint_authSet_fuzzer.cpp

0 → 100644

+175 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2024 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at:
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*
		*/
		#include <keymint_common.h>
		#include <fstream>

		namespace android::hardware::security::keymint_support::fuzzer {

		constexpr size_t kMinAction = 0;
		constexpr size_t kMaxAction = 10;
		constexpr size_t kMinKeyParameter = 1;
		constexpr size_t kMaxKeyParameter = 10;

		constexpr Tag kTagArray[] = {Tag::INVALID,
		Tag::PURPOSE,
		Tag::ALGORITHM,
		Tag::KEY_SIZE,
		Tag::BLOCK_MODE,
		Tag::DIGEST,
		Tag::PADDING,
		Tag::CALLER_NONCE,
		Tag::MIN_MAC_LENGTH,
		Tag::EC_CURVE,
		Tag::RSA_PUBLIC_EXPONENT,
		Tag::INCLUDE_UNIQUE_ID,
		Tag::RSA_OAEP_MGF_DIGEST,
		Tag::BOOTLOADER_ONLY,
		Tag::ROLLBACK_RESISTANCE,
		Tag::HARDWARE_TYPE,
		Tag::EARLY_BOOT_ONLY,
		Tag::ACTIVE_DATETIME,
		Tag::ORIGINATION_EXPIRE_DATETIME,
		Tag::USAGE_EXPIRE_DATETIME,
		Tag::MIN_SECONDS_BETWEEN_OPS,
		Tag::MAX_USES_PER_BOOT,
		Tag::USAGE_COUNT_LIMIT,
		Tag::USER_ID,
		Tag::USER_SECURE_ID,
		Tag::NO_AUTH_REQUIRED,
		Tag::USER_AUTH_TYPE,
		Tag::AUTH_TIMEOUT,
		Tag::ALLOW_WHILE_ON_BODY,
		Tag::TRUSTED_USER_PRESENCE_REQUIRED,
		Tag::TRUSTED_CONFIRMATION_REQUIRED,
		Tag::UNLOCKED_DEVICE_REQUIRED,
		Tag::APPLICATION_ID,
		Tag::APPLICATION_DATA,
		Tag::CREATION_DATETIME,
		Tag::ORIGIN,
		Tag::ROOT_OF_TRUST,
		Tag::OS_VERSION,
		Tag::OS_PATCHLEVEL,
		Tag::UNIQUE_ID,
		Tag::ATTESTATION_CHALLENGE,
		Tag::ATTESTATION_APPLICATION_ID,
		Tag::ATTESTATION_ID_BRAND,
		Tag::ATTESTATION_ID_DEVICE,
		Tag::ATTESTATION_ID_PRODUCT,
		Tag::ATTESTATION_ID_SERIAL,
		Tag::ATTESTATION_ID_IMEI,
		Tag::ATTESTATION_ID_MEID,
		Tag::ATTESTATION_ID_MANUFACTURER,
		Tag::ATTESTATION_ID_MODEL,
		Tag::VENDOR_PATCHLEVEL,
		Tag::BOOT_PATCHLEVEL,
		Tag::DEVICE_UNIQUE_ATTESTATION,
		Tag::IDENTITY_CREDENTIAL_KEY,
		Tag::STORAGE_KEY,
		Tag::ASSOCIATED_DATA,
		Tag::NONCE,
		Tag::MAC_LENGTH,
		Tag::RESET_SINCE_ID_ROTATION,
		Tag::CONFIRMATION_TOKEN,
		Tag::CERTIFICATE_SERIAL,
		Tag::CERTIFICATE_SUBJECT,
		Tag::CERTIFICATE_NOT_BEFORE,
		Tag::CERTIFICATE_NOT_AFTER,
		Tag::MAX_BOOT_LEVEL};

		class KeyMintAuthSetFuzzer {
		public:
		KeyMintAuthSetFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};
		void process();

		private:
		FuzzedDataProvider mFdp;
		};

		void KeyMintAuthSetFuzzer::process() {
		AuthorizationSet authSet = createAuthorizationSet(&mFdp);
		while (mFdp.remaining_bytes()) {
		auto invokeAuthSetAPI = mFdp.PickValueInArray<const std::function<void()>>({
		[&]() { authSet.Sort(); },
		[&]() { authSet.Deduplicate(); },
		[&]() { authSet.Union(createAuthorizationSet(&mFdp)); },
		[&]() { authSet.Subtract(createAuthorizationSet(&mFdp)); },
		[&]() { // invoke push_back()
		AuthorizationSetBuilder builder = AuthorizationSetBuilder();
		for (const KeyParameter& tag : authSet) {
		builder.push_back(tag);
		}
		AuthorizationSet params = createAuthorizationSet(&mFdp);
		authSet.push_back(params);
		},
		[&]() { // invoke copy constructor
		auto params = AuthorizationSetBuilder().Authorizations(authSet);
		authSet = params;
		},
		[&]() { // invoke move constructor
		auto params = AuthorizationSetBuilder().Authorizations(authSet);
		authSet = std::move(params);
		},
		[&]() { // invoke Constructor from vector<KeyParameter>
		vector<KeyParameter> keyParam;
		size_t numKeyParam =
		mFdp.ConsumeIntegralInRange<size_t>(kMinKeyParameter, kMaxKeyParameter);
		keyParam.resize(numKeyParam);
		for (size_t idx = 0; idx < numKeyParam - 1; ++idx) {
		keyParam[idx].tag = mFdp.PickValueInArray(kTagArray);
		}
		if (mFdp.ConsumeBool()) {
		AuthorizationSet auths(keyParam);
		auths.push_back(AuthorizationSet(keyParam));
		} else { // invoke operator=
		AuthorizationSet auths = keyParam;
		}
		},
		[&]() { // invoke 'Contains()'
		Tag tag = Tag::INVALID;
		if (authSet.size() > 0) {
		tag = authSet[mFdp.ConsumeIntegralInRange<size_t>(0, authSet.size() - 1)]
		.tag;
		}
		authSet.Contains(mFdp.ConsumeBool() ? tag : mFdp.PickValueInArray(kTagArray));
		},
		[&]() { // invoke 'GetTagCount()'
		Tag tag = Tag::INVALID;
		if (authSet.size() > 0) {
		tag = authSet[mFdp.ConsumeIntegralInRange<size_t>(0, authSet.size() - 1)]
		.tag;
		}
		authSet.GetTagCount(mFdp.ConsumeBool() ? tag
		: mFdp.PickValueInArray(kTagArray));
		},
		[&]() { // invoke 'erase()'
		if (authSet.size() > 0) {
		authSet.erase(mFdp.ConsumeIntegralInRange<size_t>(0, authSet.size() - 1));
		}
		},
		});
		invokeAuthSetAPI();
		}
		authSet.Clear();
		}

		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		KeyMintAuthSetFuzzer kmAuthSetFuzzer(data, size);
		kmAuthSetFuzzer.process();
		return 0;
		}

		} // namespace android::hardware::security::keymint_support::fuzzer