Name Date Size #Lines LOC

..--

Android.bpH A D25-Apr-20253 KiB121113

README.mdH A D25-Apr-20255.1 KiB132115

keymint_attestation_fuzzer.cppH A D25-Apr-20256.3 KiB166126

keymint_authSet_fuzzer.cppH A D25-Apr-20257.8 KiB176151

keymint_common.hH A D25-Apr-202510.2 KiB261230

keymint_remote_prov_fuzzer.cppH A D25-Apr-20254 KiB11276

keymint_rkpsupport_fuzzer.cppH A D25-Apr-20252.4 KiB6641

README.md

1# Fuzzers for libkeymint_support
2
3## Plugin Design Considerations
4The fuzzer plugins for libkeymint_support are designed based on the understanding of the source code and try to achieve the following:
5
6#### Maximize code coverage
7The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzers.
8
9#### Maximize utilization of input data
10The plugins feed the entire input data to the module. This ensures that the plugins tolerate any kind of input (empty, huge, malformed, etc) and dont `exit()` on any input and thereby increasing the chance of identifying vulnerabilities.
11
12## Table of contents
13+ [keymint_attestation_fuzzer](#KeyMintAttestation)
14+ [keymint_authSet_fuzzer](#KeyMintAuthSet)
15+ [keymint_remote_prov_fuzzer](#KeyMintRemoteProv)
16+ [keymint_rkpsupport_fuzzer](#KeyMintRemoteKeyProvSupport)
17
18# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation
19KeyMintAttestation supports the following parameters:
201. PaddingMode(parameter name: "padding")
212. Digest(parameter name: "digest")
223. Index(parameter name: "idx")
234. Timestamp(parameter name: "timestamp")
245. AuthSet(parameter name: "authSet")
256. IssuerSubjectName(parameter name: "issuerSubjectName")
267. AttestationChallenge(parameter name: "challenge")
278. AttestationApplicationId(parameter name: "id")
289. EcCurve(parameter name: "ecCurve")
2910. BlockMode(parameter name: "blockmode")
3011. minMacLength(parameter name: "minMacLength")
3112. macLength(parameter name: "macLength")
32
33| Parameter| Valid Values| Configured Value|
34|------------- |--------------| -------------------- |
35|`padding`| `PaddingMode` |Value obtained from FuzzedDataProvider|
36|`digest`| `Digest` |Value obtained from FuzzedDataProvider|
37|`idx`| `size_t` |Value obtained from FuzzedDataProvider|
38|`timestamp`| `uint64_t` |Value obtained from FuzzedDataProvider|
39|`authSet`| `uint32_t` |Value obtained from FuzzedDataProvider|
40|`issuerSubjectName`| `uint8_t` |Value obtained from FuzzedDataProvider|
41|`AttestationChallenge`| `string` |Value obtained from FuzzedDataProvider|
42|`AttestationApplicationId`| `string` |Value obtained from FuzzedDataProvider|
43|`blockmode`| `BlockMode` |Value obtained from FuzzedDataProvider|
44|`minMacLength`| `uint32_t` |Value obtained from FuzzedDataProvider|
45|`macLength`| `uint32_t` |Value obtained from FuzzedDataProvider|
46
47#### Steps to run
481. Build the fuzzer
49```
50$ mm -j$(nproc) keymint_attestation_fuzzer
51```
522. Run on device
53```
54$ adb sync data
55$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer
56```
57
58# <a name="KeyMintAuthSet"></a> Fuzzer for KeyMintAuthSet
59KeyMintAuthSet supports the following parameters:
601. AuthorizationSet(parameter name: "authSet")
612. AuthorizationSet(parameter name: "params")
623. KeyParameters(parameter name: "numKeyParam")
634. Tag(parameter name: "tag")
64
65| Parameter| Valid Values| Configured Value|
66|------------- |--------------| -------------------- |
67|`authSet`| `AuthorizationSet` |Value obtained from FuzzedDataProvider|
68|`params`| `AuthorizationSet` |Value obtained from FuzzedDataProvider|
69|`numKeyParam`| `size_t` |Value obtained from FuzzedDataProvider|
70|`tag`| `Tag` |Value obtained from FuzzedDataProvider|
71
72#### Steps to run
731. Build the fuzzer
74```
75$ mm -j$(nproc) keymint_authSet_fuzzer
76```
772. Run on device
78```
79$ adb sync data
80$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer
81```
82
83# <a name="KeyMintRemoteProv"></a> Fuzzer for KeyMintRemoteProv
84KeyMintRemoteProv supports the following parameters:
851. ChallengeSize(parameter name: "challengeSize")
862. Challenge(parameter name: "challenge")
873. NumKeys(parameter name: "numKeys")
88
89| Parameter| Valid Values| Configured Value|
90|------------- |--------------| -------------------- |
91|`challengeSize`| `uint8_t` |Value obtained from FuzzedDataProvider|
92|`challenge`| `std::vector<uint8_t>` |Value obtained from FuzzedDataProvider|
93|`numKeys`| `uint8_t` |Value obtained from FuzzedDataProvider|
94
95#### Steps to run
961. Build the fuzzer
97```
98$ mm -j$(nproc) keymint_remote_prov_fuzzer
99```
1002. Run on device
101```
102$ adb sync data
103$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer
104```
105
106# <a name="KeyMintRemoteKeyProvSupport"></a> Fuzzer for KeyMintRemoteKeyProvSupport
107KeyMintRemoteKeyProvSupport supports the following parameters:
1081. SupportedEekCurve(parameter name: "supportedEekCurve")
1092. Length(parameter name: "length")
1103. SerialNumberProp(parameter name: "serialNoProp")
1114. InstanceName(parameter name: "instanceName")
1125. Value(parameter name: "value")
113
114| Parameter| Valid Values| Configured Value|
115|------------- |--------------| -------------------- |
116|`supportedEekCurve`| `uint8_t` |Value obtained from FuzzedDataProvider|
117|`length`| `uint8_t` |Value obtained from FuzzedDataProvider|
118|`serialNoProp`| `string` |Value obtained from FuzzedDataProvider|
119|`instanceName`| `string` |Value obtained from FuzzedDataProvider|
120|`value`| `uint8_t` |Value obtained from FuzzedDataProvider|
121
122#### Steps to run
1231. Build the fuzzer
124```
125$ mm -j$(nproc) keymint_rkpsupport_fuzzer
126```
1272. Run on device
128```
129$ adb sync data
130$ adb shell /data/fuzz/arm64/keymint_rkpsupport_fuzzer/keymint_rkpsupport_fuzzer
131```
132