Skip to content

Latest commit

 

History

History
104 lines (72 loc) · 2.67 KB

fuzzing.md

File metadata and controls

104 lines (72 loc) · 2.67 KB

Fuzzing

Fuzz tests use libFuzzer to test the SAPI _Prepare and _Complete functions.

Building fuzz tests can be enabled using the --with-fuzzing= option. For which there are two possible values.

libFuzzer

libFuzzer tests can be built natively or using the docker fuzzing target.

Natively

Build the fuzz tests by setting --with-fuzzing=libfuzzer and statically linking to the fuzzing TCTI.

export GEN_FUZZ=1

./bootstrap
./configure \
  CC=clang \
  CXX=clang++ \
  --enable-debug \
  --with-fuzzing=libfuzzer \
  --enable-tcti-fuzzing \
  --enable-tcti-device=no \
  --enable-tcti-mssim=no \
  --with-maxloglevel=none \
  --disable-shared

make -j $(nproc) check

Run the fuzz tests by executing any binary ending in .fuzz in test/fuzz/.

./test/fuzz/Tss2_Sys_ZGen_2Phase_Prepare.fuzz

Docker

Build the fuzz targets and check that they work by building the fuzzing docker target.

docker build --target fuzzing -t tpm2-tss:fuzzing .

Run a fuzz target and mount a directory as a volume into the container where it should store its findings should it produce any.

docker run --rm -ti tpm2-tss:fuzzing \
   -v "${PWD}/findings_dir":/artifacts \
   ./test/fuzz/Tss2_Sys_PolicyPhysicalPresence_Prepare.fuzz \
  -artifact_prefix=/artifacts

OSS Fuzz

OSS fuzz integration can be found under the tpm2-tss project in OSS Fuzz.

The Dockerfile there builds the dependencies. build.sh Runs the compilation as seen under the fuzzing target of the Dockerfile in this repo, only --with-fuzzing=ossfuzz.

Hacking

Currently only fuzz targets for the System API have been implemented.

TCTI

The fuzzing TCTI is used as a temporary storage location for the Data and Size arguments of LLVMFuzzerTestOneInput.

For _Complete calls the TCTI uses Data and Size as the response buffer and response size for TSS2_TCTI_RECEIVE.

SAPI

Fuzz tests are generated via script/gen_fuzz.py.

Setting GEN_FUZZ=1 when running bootstrap will run script/gen_fuzz.py.

GEN_FUZZ=1 ./bootstrap

script/gen_fuzz.py reads the SAPI header file and generates a fuzz target for each _Prepare and _Complete call using similar templates.

For _Prepare calls the fuzz_fill function in the fuzzing TCTI will fill each TPM2 structure used can copy from LLVMFuzzerTestOneInput's Data into it.

License

This work is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).