1# Fuzzer for android.hardware.drm@1.4-service.clearkey 2 3## Plugin Design Considerations 4The fuzzer plugin for android.hardware.drm@1.4-service.clearkey is designed based on the understanding of the 5source code and tries to achieve the following: 6 7##### Maximize code coverage 8The configuration parameters are not hardcoded, but instead selected based on 9incoming data. This ensures more code paths are reached by the fuzzer. 10 11android.hardware.drm@1.4-service.clearkey supports the following parameters: 121. Security Level (parameter name: `securityLevel`) 132. Mime Type (parameter name: `mimeType`) 143. Key Type (parameter name: `keyType`) 154. Crypto Mode (parameter name: `cryptoMode`) 16 17| Parameter| Valid Values| Configured Value| 18|------------- |-------------| ----- | 19| `securityLevel` | 0.`SecurityLevel::UNKNOWN` 1.`SecurityLevel::SW_SECURE_CRYPTO` 2.`SecurityLevel::SW_SECURE_DECODE` 3.`SecurityLevel::HW_SECURE_CRYPTO` 4.`SecurityLevel::HW_SECURE_DECODE` 5.`SecurityLevel::HW_SECURE_ALL`| Value obtained from FuzzedDataProvider in the range 0 to 5| 20| `mimeType` | 0.`video/mp4` 1.`video/mpeg` 2.`video/x-flv` 3.`video/mj2` 4.`video/3gp2` 5.`video/3gpp` 6.`video/3gpp2` 7.`audio/mp4` 8.`audio/mpeg` 9.`audio/aac` 10.`audio/3gp2` 11.`audio/3gpp` 12.`audio/3gpp2` 13.`audio/webm` 14.`video/webm` 15.`webm` 16.`cenc` 17.`video/unknown` 18.`audio/unknown`| Value obtained from FuzzedDataProvider in the range 0 to 18| 21| `keyType` | 0.`KeyType::OFFLINE` 1.`KeyType::STREAMING` 2.`KeyType::RELEASE` | Value obtained from FuzzedDataProvider in the range 0 to 2| 22| `cryptoMode` | 0.`Mode::UNENCRYPTED` 1.`Mode::AES_CTR` 2.`Mode::AES_CBC_CTS` 3.`Mode::AES_CBC` | Value obtained from FuzzedDataProvider in the range 0 to 3| 23 24This also ensures that the plugin is always deterministic for any given input. 25 26##### Maximize utilization of input data 27The plugin feeds the entire input data to the module. 28This ensures that the plugin tolerates any kind of input (empty, huge, 29malformed, etc) and doesnt `exit()` on any input and thereby increasing the 30chance of identifying vulnerabilities. 31 32## Build 33 34This describes steps to build clearkeyV1.4_fuzzer binary. 35 36### Android 37 38#### Steps to build 39Build the fuzzer 40``` 41 $ mm -j$(nproc) clearkeyV1.4_fuzzer 42``` 43#### Steps to run 44To run on device 45``` 46 $ adb sync data 47 $ adb shell /data/fuzz/${TARGET_ARCH}/clearkeyV1.4_fuzzer/vendor/hw/clearkeyV1.4_fuzzer 48``` 49 50## References: 51 * http://llvm.org/docs/LibFuzzer.html 52 * https://github.com/google/oss-fuzz 53