• Home
Name Date Size #Lines LOC

..--

Android.bpD06-Sep-20243.2 KiB106101

README.mdD06-Sep-20242.1 KiB6046

camera_service_aidl_fuzzer.cppD06-Sep-2024958 2910

camera_service_fuzzer.cppD06-Sep-202426.6 KiB667561

README.md

1# Fuzzer for libcameraservice
2
3## Plugin Design Considerations
4The fuzzer plugin is designed based on the understanding of the
5library and tries to achieve the following:
6
7##### Maximize code coverage
8The configuration parameters are not hardcoded, but instead selected based on
9incoming data. This ensures more code paths are reached by the fuzzer.
10
11libcameraservice supports the following parameters:
121. Camera Type (parameter name: `cameraType`)
132. Camera API Version (parameter name: `cameraAPIVersion`)
143. Event ID (parameter name: `eventId`)
154. Camera Sound Kind (parameter name: `soundKind`)
165. Shell Command (parameter name: `shellCommand`)
17
18| Parameter| Valid Values| Configured Value|
19|------------- |-------------| ----- |
20| `cameraType` | 0. `CAMERA_TYPE_BACKWARD_COMPATIBLE` 1. `CAMERA_TYPE_ALL` | Value obtained from FuzzedDataProvider |
21| `cameraAPIVersion` |  0. `API_VERSION_1` 1. `API_VERSION_2` | Value obtained from FuzzedDataProvider |
22| `eventId` |  0. `EVENT_USER_SWITCHED` 1. `EVENT_NONE` | Value obtained from FuzzedDataProvider |
23| `soundKind` |  0. `SOUND_SHUTTER` 1. `SOUND_RECORDING_START` 2. `SOUND_RECORDING_STOP`| Value obtained from FuzzedDataProvider |
24| `shellCommand` |  0. `set-uid-state` 1. `reset-uid-state` 2. `get-uid-state` 3. `set-rotate-and-crop` 4. `get-rotate-and-crop` 5. `help`| Value obtained from FuzzedDataProvider |
25
26This also ensures that the plugin is always deterministic for any given input.
27
28##### Maximize utilization of input data
29The plugin tolerates any kind of input (empty, huge,
30malformed, etc) and doesn't `exit()` on any input and thereby increasing the
31chance of identifying vulnerabilities.
32
33## Build
34
35This describes steps to build camera_service_fuzzer binary.
36
37### Android
38
39#### Steps to build
40Build the fuzzer
41```
42  $ mm -j$(nproc) camera_service_fuzzer
43```
44
45#### Steps to run
46Create a directory CORPUS_DIR
47```
48  $ adb shell mkdir CORPUS_DIR
49```
50
51To run on device
52```
53  $ adb sync data
54  $ adb shell /data/fuzz/arm64/camera_service_fuzzer/camera_service_fuzzer CORPUS_DIR
55```
56
57## References:
58 * http://llvm.org/docs/LibFuzzer.html
59 * https://github.com/google/oss-fuzz
60