Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f7b8a597 authored by Stephen Crane's avatar Stephen Crane
Browse files

trusty: Add simple fuzzer for keymaster TA 

Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.

Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
parent 6735f847

trusty/keymaster/fuzz/Android.bp

0 → 100644
+19 −0
Original line number Diff line number Diff line 
// Copyright (C) 2020 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//       http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.



cc_fuzz {

    name: "trusty_keymaster_fuzzer",

    defaults: ["trusty_fuzzer_defaults"],

    srcs: ["fuzz.cpp"],

}

trusty/keymaster/fuzz/fuzz.cpp

0 → 100644
+80 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#undef NDEBUG



#include <assert.h>

#include <log/log.h>

#include <stdlib.h>

#include <trusty/coverage/coverage.h>

#include <trusty/fuzz/counters.h>

#include <trusty/fuzz/utils.h>

#include <unistd.h>

#include <iostream>



using android::trusty::coverage::CoverageRecord;

using android::trusty::fuzz::ExtraCounters;

using android::trusty::fuzz::TrustyApp;



#define TIPC_DEV "/dev/trusty-ipc-dev0"

#define KEYMASTER_PORT "com.android.trusty.keymaster"

#define KEYMASTER_MODULE_FILENAME "keymaster.syms.elf"



/* Keymaster TA's UUID is 5f902ace-5e5c-4cd8-ae54-87b88c22ddaf */

static struct uuid keymaster_uuid = {

        0x5f902ace,

        0x5e5c,

        0x4cd8,

        {0xae, 0x54, 0x87, 0xb8, 0x8c, 0x22, 0xdd, 0xaf},

};



static CoverageRecord record(TIPC_DEV, &keymaster_uuid, KEYMASTER_MODULE_FILENAME);



extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {

    auto ret = record.Open();

    if (!ret.ok()) {

        std::cerr << ret.error() << std::endl;

        exit(-1);

    }

    return 0;

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    static uint8_t buf[TIPC_MAX_MSG_SIZE];



    ExtraCounters counters(&record);

    counters.Reset();



    android::trusty::fuzz::TrustyApp ta(TIPC_DEV, KEYMASTER_PORT);

    auto ret = ta.Connect();

    if (!ret.ok()) {

        android::trusty::fuzz::Abort();

    }



    /* Send message to test server */

    ret = ta.Write(data, size);

    if (!ret.ok()) {

        return -1;

    }



    /* Read message from test server */

    ret = ta.Read(&buf, sizeof(buf));

    if (!ret.ok()) {

        return -1;

    }



    return 0;

}