Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-02 17:31:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3935a3fa5de8e00a7f5ca3360c2bf09d07126d52
hardware_interfaces/security/keymint/support/fuzzer
History
Akhilesh Sanikop aae715f927 Updated fuzz_config in Android.bp file 
Added fuzz_config and its fields like - cc, componentid,
hotlists, description, vector, service_privilege,
users & fuzzed_code_usage.

Bug: 306435930
Test: Build the updated fuzz targets

Change-Id: Ib537f4c4c98860de431e33dedbd106930cf8e45a
2024-07-16 16:17:20 +05:30
..
Android.bp
Updated fuzz_config in Android.bp file
2024-07-16 16:17:20 +05:30
keymint_attestation_fuzzer.cpp
Added keymint_attestation_fuzzer
2024-05-13 23:46:36 +05:30
keymint_authSet_fuzzer.cpp
Added keymint_authSet_fuzzer
2024-05-13 23:47:19 +05:30
keymint_common.h
Added keymint_attestation_fuzzer
2024-05-13 23:46:36 +05:30
keymint_remote_prov_fuzzer.cpp
Added keymint_remote_prov_fuzzer
2024-07-03 15:07:33 +05:30
keymint_rkpsupport_fuzzer.cpp
Added keymint_rkpsupport_fuzzer
2024-07-03 15:07:54 +05:30
README.md
Added keymint_rkpsupport_fuzzer
2024-07-03 15:07:54 +05:30

README.md

Fuzzers for libkeymint_support

Plugin Design Considerations

The fuzzer plugins for libkeymint_support are designed based on the understanding of the source code and try to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzers.

Maximize utilization of input data

The plugins feed the entire input data to the module. This ensures that the plugins tolerate any kind of input (empty, huge, malformed, etc) and dont exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Table of contents

Fuzzer for KeyMintAttestation

KeyMintAttestation supports the following parameters:

  1. PaddingMode(parameter name: "padding")
  2. Digest(parameter name: "digest")
  3. Index(parameter name: "idx")
  4. Timestamp(parameter name: "timestamp")
  5. AuthSet(parameter name: "authSet")
  6. IssuerSubjectName(parameter name: "issuerSubjectName")
  7. AttestationChallenge(parameter name: "challenge")
  8. AttestationApplicationId(parameter name: "id")
  9. EcCurve(parameter name: "ecCurve")
  10. BlockMode(parameter name: "blockmode")
  11. minMacLength(parameter name: "minMacLength")
  12. macLength(parameter name: "macLength")
Parameter Valid Values Configured Value
padding PaddingMode Value obtained from FuzzedDataProvider
digest Digest Value obtained from FuzzedDataProvider
idx size_t Value obtained from FuzzedDataProvider
timestamp uint64_t Value obtained from FuzzedDataProvider
authSet uint32_t Value obtained from FuzzedDataProvider
issuerSubjectName uint8_t Value obtained from FuzzedDataProvider
AttestationChallenge string Value obtained from FuzzedDataProvider
AttestationApplicationId string Value obtained from FuzzedDataProvider
blockmode BlockMode Value obtained from FuzzedDataProvider
minMacLength uint32_t Value obtained from FuzzedDataProvider
macLength uint32_t Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_attestation_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer

Fuzzer for KeyMintAuthSet

KeyMintAuthSet supports the following parameters:

  1. AuthorizationSet(parameter name: "authSet")
  2. AuthorizationSet(parameter name: "params")
  3. KeyParameters(parameter name: "numKeyParam")
  4. Tag(parameter name: "tag")
Parameter Valid Values Configured Value
authSet AuthorizationSet Value obtained from FuzzedDataProvider
params AuthorizationSet Value obtained from FuzzedDataProvider
numKeyParam size_t Value obtained from FuzzedDataProvider
tag Tag Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_authSet_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer

Fuzzer for KeyMintRemoteProv

KeyMintRemoteProv supports the following parameters:

  1. ChallengeSize(parameter name: "challengeSize")
  2. Challenge(parameter name: "challenge")
  3. NumKeys(parameter name: "numKeys")
Parameter Valid Values Configured Value
challengeSize uint8_t Value obtained from FuzzedDataProvider
challenge std::vector<uint8_t> Value obtained from FuzzedDataProvider
numKeys uint8_t Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_remote_prov_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer

Fuzzer for KeyMintRemoteKeyProvSupport

KeyMintRemoteKeyProvSupport supports the following parameters:

  1. SupportedEekCurve(parameter name: "supportedEekCurve")
  2. Length(parameter name: "length")
  3. SerialNumberProp(parameter name: "serialNoProp")
  4. InstanceName(parameter name: "instanceName")
  5. Value(parameter name: "value")
Parameter Valid Values Configured Value
supportedEekCurve uint8_t Value obtained from FuzzedDataProvider
length uint8_t Value obtained from FuzzedDataProvider
serialNoProp string Value obtained from FuzzedDataProvider
instanceName string Value obtained from FuzzedDataProvider
value uint8_t Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) keymint_rkpsupport_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/keymint_rkpsupport_fuzzer/keymint_rkpsupport_fuzzer
Reference in New Issue View Git Blame Copy Permalink