• Home
Name Date Size #Lines LOC

..--

Android.bpD03-May-20242.1 KiB7067

README.mdD03-May-20242.5 KiB5745

mediadrm_fuzzer.cppD03-May-202416.1 KiB459343

README.md

1# Fuzzer for libmediadrm
2
3## Plugin Design Considerations
4The fuzzer plugin for libmediadrm is designed based on the understanding of the
5library and tries to achieve the following:
6
7##### Maximize code coverage
8The configuration parameters are not hardcoded, but instead selected based on
9incoming data. This ensures more code paths are reached by the fuzzer.
10
11libmediadrm supports the following parameters:
121. Security Level (parameter name: `securityLevel`)
132. Mime Type (parameter name: `mimeType`)
143. Key Type (parameter name: `keyType`)
154. Crypto Mode (parameter name: `cryptoMode`)
16
17| Parameter| Valid Values| Configured Value|
18|------------- |-------------| ----- |
19| `securityLevel` | 0.`DrmPlugin::kSecurityLevelUnknown` 1.`DrmPlugin::kSecurityLevelMax` 2.`DrmPlugin::kSecurityLevelSwSecureCrypto` 3.`DrmPlugin::kSecurityLevelSwSecureDecode`  4.`DrmPlugin::kSecurityLevelHwSecureCrypto` 5.`DrmPlugin::kSecurityLevelHwSecureDecode` 6.`DrmPlugin::kSecurityLevelHwSecureAll`| Value obtained from FuzzedDataProvider in the range 0 to 6|
20| `mimeType` | 0.`video/mp4` 1.`video/mpeg` 2.`video/x-flv` 3.`video/mj2` 4.`video/3gp2` 5.`video/3gpp` 6.`video/3gpp2` 7.`audio/mp4` 8.`audio/mpeg` 9.`audio/aac` 10.`audio/3gp2` 11.`audio/3gpp` 12.`audio/3gpp2` 13.`video/unknown`| Value obtained from FuzzedDataProvider in the range 0 to 13|
21| `keyType` | 0.`DrmPlugin::kKeyType_Offline` 1.`DrmPlugin::kKeyType_Streaming` 2.`DrmPlugin::kKeyType_Release` | Value obtained from FuzzedDataProvider in the range 0 to 2|
22| `cryptoMode` | 0.`CryptoPlugin::kMode_Unencrypted` 1.`CryptoPlugin::kMode_AES_CTR` 2.`CryptoPlugin::kMode_AES_WV` 3.`CryptoPlugin::kMode_AES_CBC` | Value obtained from FuzzedDataProvider in the range 0 to 3|
23
24This also ensures that the plugin is always deterministic for any given input.
25
26##### Maximize utilization of input data
27The plugin feeds the entire input data to the drm module.
28This ensures that the plugin tolerates any kind of input (empty, huge,
29malformed, etc) and doesnt `exit()` on any input and thereby increasing the
30chance of identifying vulnerabilities.
31
32## Build
33
34This describes steps to build mediadrm_fuzzer binary.
35
36### Android
37
38#### Steps to build
39Build the fuzzer
40```
41  $ mm -j$(nproc) mediadrm_fuzzer
42```
43#### Steps to run
44Create a directory CORPUS_DIR
45```
46  $ adb shell mkdir CORPUS_DIR
47```
48To run on device
49```
50  $ adb sync data
51  $ adb shell /data/fuzz/${TARGET_ARCH}/mediadrm_fuzzer/mediadrm_fuzzer CORPUS_DIR
52```
53
54## References:
55 * http://llvm.org/docs/LibFuzzer.html
56 * https://github.com/google/oss-fuzz
57