1# Fuzzers for libkeymint_support 2 3## Plugin Design Considerations 4The fuzzer plugins for libkeymint_support are designed based on the understanding of the source code and try to achieve the following: 5 6#### Maximize code coverage 7The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzers. 8 9#### Maximize utilization of input data 10The plugins feed the entire input data to the module. This ensures that the plugins tolerate any kind of input (empty, huge, malformed, etc) and dont `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. 11 12## Table of contents 13+ [keymint_attestation_fuzzer](#KeyMintAttestation) 14+ [keymint_authSet_fuzzer](#KeyMintAuthSet) 15+ [keymint_remote_prov_fuzzer](#KeyMintRemoteProv) 16+ [keymint_rkpsupport_fuzzer](#KeyMintRemoteKeyProvSupport) 17 18# <a name="KeyMintAttestation"></a> Fuzzer for KeyMintAttestation 19KeyMintAttestation supports the following parameters: 201. PaddingMode(parameter name: "padding") 212. Digest(parameter name: "digest") 223. Index(parameter name: "idx") 234. Timestamp(parameter name: "timestamp") 245. AuthSet(parameter name: "authSet") 256. IssuerSubjectName(parameter name: "issuerSubjectName") 267. AttestationChallenge(parameter name: "challenge") 278. AttestationApplicationId(parameter name: "id") 289. EcCurve(parameter name: "ecCurve") 2910. BlockMode(parameter name: "blockmode") 3011. minMacLength(parameter name: "minMacLength") 3112. macLength(parameter name: "macLength") 32 33| Parameter| Valid Values| Configured Value| 34|------------- |--------------| -------------------- | 35|`padding`| `PaddingMode` |Value obtained from FuzzedDataProvider| 36|`digest`| `Digest` |Value obtained from FuzzedDataProvider| 37|`idx`| `size_t` |Value obtained from FuzzedDataProvider| 38|`timestamp`| `uint64_t` |Value obtained from FuzzedDataProvider| 39|`authSet`| `uint32_t` |Value obtained from FuzzedDataProvider| 40|`issuerSubjectName`| `uint8_t` |Value obtained from FuzzedDataProvider| 41|`AttestationChallenge`| `string` |Value obtained from FuzzedDataProvider| 42|`AttestationApplicationId`| `string` |Value obtained from FuzzedDataProvider| 43|`blockmode`| `BlockMode` |Value obtained from FuzzedDataProvider| 44|`minMacLength`| `uint32_t` |Value obtained from FuzzedDataProvider| 45|`macLength`| `uint32_t` |Value obtained from FuzzedDataProvider| 46 47#### Steps to run 481. Build the fuzzer 49``` 50$ mm -j$(nproc) keymint_attestation_fuzzer 51``` 522. Run on device 53``` 54$ adb sync data 55$ adb shell /data/fuzz/arm64/keymint_attestation_fuzzer/keymint_attestation_fuzzer 56``` 57 58# <a name="KeyMintAuthSet"></a> Fuzzer for KeyMintAuthSet 59KeyMintAuthSet supports the following parameters: 601. AuthorizationSet(parameter name: "authSet") 612. AuthorizationSet(parameter name: "params") 623. KeyParameters(parameter name: "numKeyParam") 634. Tag(parameter name: "tag") 64 65| Parameter| Valid Values| Configured Value| 66|------------- |--------------| -------------------- | 67|`authSet`| `AuthorizationSet` |Value obtained from FuzzedDataProvider| 68|`params`| `AuthorizationSet` |Value obtained from FuzzedDataProvider| 69|`numKeyParam`| `size_t` |Value obtained from FuzzedDataProvider| 70|`tag`| `Tag` |Value obtained from FuzzedDataProvider| 71 72#### Steps to run 731. Build the fuzzer 74``` 75$ mm -j$(nproc) keymint_authSet_fuzzer 76``` 772. Run on device 78``` 79$ adb sync data 80$ adb shell /data/fuzz/arm64/keymint_authSet_fuzzer/keymint_authSet_fuzzer 81``` 82 83# <a name="KeyMintRemoteProv"></a> Fuzzer for KeyMintRemoteProv 84KeyMintRemoteProv supports the following parameters: 851. ChallengeSize(parameter name: "challengeSize") 862. Challenge(parameter name: "challenge") 873. NumKeys(parameter name: "numKeys") 88 89| Parameter| Valid Values| Configured Value| 90|------------- |--------------| -------------------- | 91|`challengeSize`| `uint8_t` |Value obtained from FuzzedDataProvider| 92|`challenge`| `std::vector<uint8_t>` |Value obtained from FuzzedDataProvider| 93|`numKeys`| `uint8_t` |Value obtained from FuzzedDataProvider| 94 95#### Steps to run 961. Build the fuzzer 97``` 98$ mm -j$(nproc) keymint_remote_prov_fuzzer 99``` 1002. Run on device 101``` 102$ adb sync data 103$ adb shell /data/fuzz/arm64/keymint_remote_prov_fuzzer/keymint_remote_prov_fuzzer 104``` 105 106# <a name="KeyMintRemoteKeyProvSupport"></a> Fuzzer for KeyMintRemoteKeyProvSupport 107KeyMintRemoteKeyProvSupport supports the following parameters: 1081. SupportedEekCurve(parameter name: "supportedEekCurve") 1092. Length(parameter name: "length") 1103. SerialNumberProp(parameter name: "serialNoProp") 1114. InstanceName(parameter name: "instanceName") 1125. Value(parameter name: "value") 113 114| Parameter| Valid Values| Configured Value| 115|------------- |--------------| -------------------- | 116|`supportedEekCurve`| `uint8_t` |Value obtained from FuzzedDataProvider| 117|`length`| `uint8_t` |Value obtained from FuzzedDataProvider| 118|`serialNoProp`| `string` |Value obtained from FuzzedDataProvider| 119|`instanceName`| `string` |Value obtained from FuzzedDataProvider| 120|`value`| `uint8_t` |Value obtained from FuzzedDataProvider| 121 122#### Steps to run 1231. Build the fuzzer 124``` 125$ mm -j$(nproc) keymint_rkpsupport_fuzzer 126``` 1272. Run on device 128``` 129$ adb sync data 130$ adb shell /data/fuzz/arm64/keymint_rkpsupport_fuzzer/keymint_rkpsupport_fuzzer 131``` 132