• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Fuzzers for libbtcore
2
3## Plugin Design Considerations
4The fuzzer plugins for `libbtcore` are designed based on the understanding of the
5source code and tries to achieve the following:
6
7##### Maximize code coverage
8The configuration parameters are not hard-coded, but instead selected based on
9incoming data. This ensures more code paths are reached by the fuzzers.
10
11Fuzzers assigns values to the following parameters to pass on to libbtcore:
121. Bluetooth Device Type (parameter name: `deviceType`)
132. Bluetooth Adapter Visibility Mode (parameter name: `mode`)
143. Bluetooth Address (parameter name: `btAddress`)
154. Bluetooth Device Class parameter (parameter name: `deviceClassT`)
16
17| Parameter| Valid Values| Configured Value|
18|------------- |-------------| ----- |
19| `deviceType` | 0.`BT_DEVICE_DEVTYPE_BREDR` 1.`BT_DEVICE_DEVTYPE_BLE` 2.`BT_DEVICE_DEVTYPE_DUAL` | Value obtained from FuzzedDataProvider |
20| `mode` | 0.`BT_SCAN_MODE_NONE` 1.`BT_SCAN_MODE_CONNECTABLE` 2.`BT_SCAN_MODE_CONNECTABLE_DISCOVERABLE` | Value obtained from FuzzedDataProvider |
21| `btAddress` | Values inside array ranges from `0x0` to `0xFF` | Value obtained from FuzzedDataProvider |
22| `deviceClassT` | Values inside array ranges from `0x0` to `0xFF` | Value obtained from FuzzedDataProvider |
23This also ensures that the plugins are always deterministic for any given input.
24
25##### Maximize utilization of input data
26The plugins feed the entire input data to the module.
27This ensures that the plugins tolerates any kind of input (empty, huge,
28malformed, etc) and doesn't `exit()` on any input and thereby increasing the
29chance of identifying vulnerabilities.
30
31## Build
32
33This describes steps to build btcore_device_class_fuzzer, btcore_property_fuzzer and btcore_module_fuzzer binaries.
34
35### Android
36
37#### Steps to build
38Build the fuzzer
39```
40  $ mm -j$(nproc) btcore_device_class_fuzzer
41  $ mm -j$(nproc) btcore_property_fuzzer
42  $ mm -j$(nproc) btcore_module_fuzzer
43```
44### Steps to run
45
46To run on device
47```
48  $ adb sync data
49  $ adb shell /data/fuzz/arm64/btcore_device_class_fuzzer/btcore_device_class_fuzzer
50  $ adb shell /data/fuzz/arm64/btcore_property_fuzzer/btcore_property_fuzzer
51  $ adb shell /data/fuzz/arm64/btcore_module_fuzzer/btcore_module_fuzzer
52```
53
54## References:
55 * http://llvm.org/docs/LibFuzzer.html
56 * https://github.com/google/oss-fuzz
57