1# Fuzzers for libkeymint_support 2 3## Plugin Design Considerations 4The fuzzer plugins for libkeymint_support are designed based on the understanding of the source code and try to achieve the following: 5 6#### Maximize code coverage 7The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzers. 8 9#### Maximize utilization of input data 10The plugins feed the entire input data to the module. This ensures that the plugins tolerate any kind of input (empty, huge, malformed, etc) and dont `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. 11 12## Table of contents 13+ [keymint_attestation_fuzzer](#KeyMintAttestation) 14+ [keymint_authSet_fuzzer](#KeyMintAuthSet) 15 16# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation 17KeyMintAttestation supports the following parameters: 181. PaddingMode(parameter name: "padding") 192. Digest(parameter name: "digest") 203. Index(parameter name: "idx") 214. Timestamp(parameter name: "timestamp") 225. AuthSet(parameter name: "authSet") 236. IssuerSubjectName(parameter name: "issuerSubjectName") 247. AttestationChallenge(parameter name: "challenge") 258. AttestationApplicationId(parameter name: "id") 269. EcCurve(parameter name: "ecCurve") 2710. BlockMode(parameter name: "blockmode") 2811. minMacLength(parameter name: "minMacLength") 2912. macLength(parameter name: "macLength") 30 31| Parameter| Valid Values| Configured Value| 32|------------- |--------------| -------------------- | 33|`padding`| `PaddingMode` |Value obtained from FuzzedDataProvider| 34|`digest`| `Digest` |Value obtained from FuzzedDataProvider| 35|`idx`| `size_t` |Value obtained from FuzzedDataProvider| 36|`timestamp`| `uint64_t` |Value obtained from FuzzedDataProvider| 37|`authSet`| `uint32_t` |Value obtained from FuzzedDataProvider| 38|`issuerSubjectName`| `uint8_t` |Value obtained from FuzzedDataProvider| 39|`AttestationChallenge`| `string` |Value obtained from FuzzedDataProvider| 40|`AttestationApplicationId`| `string` |Value obtained from FuzzedDataProvider| 41|`blockmode`| `BlockMode` |Value obtained from FuzzedDataProvider| 42|`minMacLength`| `uint32_t` |Value obtained from FuzzedDataProvider| 43|`macLength`| `uint32_t` |Value obtained from FuzzedDataProvider| 44 45#### Steps to run 461. Build the fuzzer 47``` 48$ mm -j$(nproc) keymint_attestation_fuzzer 49``` 502. Run on device 51``` 52$ adb sync data 53$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer 54``` 55 56# <a name="KeyMintAuthSet"></a> Fuzzer for KeyMintAuthSet 57KeyMintAuthSet supports the following parameters: 581. AuthorizationSet(parameter name: "authSet") 592. AuthorizationSet(parameter name: "params") 603. KeyParameters(parameter name: "numKeyParam") 614. Tag(parameter name: "tag") 62 63| Parameter| Valid Values| Configured Value| 64|------------- |--------------| -------------------- | 65|`authSet`| `AuthorizationSet` |Value obtained from FuzzedDataProvider| 66|`params`| `AuthorizationSet` |Value obtained from FuzzedDataProvider| 67|`numKeyParam`| `size_t` |Value obtained from FuzzedDataProvider| 68|`tag`| `Tag` |Value obtained from FuzzedDataProvider| 69 70#### Steps to run 711. Build the fuzzer 72``` 73$ mm -j$(nproc) keymint_authSet_fuzzer 74``` 752. Run on device 76``` 77$ adb sync data 78$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer 79``` 80