2.5 KiB
Fuzzing
Fuzz tests use libFuzzer to test the SAPI
_Prepare
and _Complete
functions.
Building fuzz tests can be enabled using the --with-fuzzing=
option. For which
there are two possible values.
libFuzzer
libFuzzer tests can be built natively or using the docker fuzzing
target.
Natively
Build the fuzz tests by setting --with-fuzzing=libfuzzer
and statically
linking to the fuzzing TCTI.
export GEN_FUZZ=1
./bootstrap
./configure \
CC=clang \
CXX=clang++ \
--enable-debug \
--with-fuzzing=libfuzzer \
--enable-tcti-fuzzing \
--enable-tcti-device=no \
--enable-tcti-mssim=no \
--with-maxloglevel=none \
--disable-shared
make -j $(nproc) check
Run the fuzz tests by executing any binary ending in .fuzz
in test/fuzz/
.
./test/fuzz/Tss2_Sys_ZGen_2Phase_Prepare.fuzz
Docker
Build the fuzz targets and check that they work by building the fuzzing
docker
target.
docker build --target fuzzing -t tpm2-tss:fuzzing .
Run a fuzz target and mount a directory as a volume into the container where it should store its findings should it produce any.
docker run --rm -ti tpm2-tss:fuzzing \
-v "${PWD}/findings_dir":/artifacts \
./test/fuzz/Tss2_Sys_PolicyPhysicalPresence_Prepare.fuzz \
-artifact_prefix=/artifacts
OSS Fuzz
OSS fuzz integration can be found under the tpm2-tss project in OSS Fuzz.
The Dockerfile
there builds the dependencies. build.sh
Runs the compilation
as seen under the fuzzing
target of the Dockerfile
in this repo, only
--with-fuzzing=ossfuzz
.
Hacking
Currently only fuzz targets for the System API have been implemented.
TCTI
The fuzzing TCTI is used as a temporary storage location for the Data
and
Size
arguments of LLVMFuzzerTestOneInput
.
For _Complete
calls the TCTI uses Data
and Size
as the response buffer and
response size for TSS2_TCTI_RECEIVE
.
SAPI
Fuzz tests are generated via script/gen_fuzz.py
.
Setting GEN_FUZZ=1
when running bootstrap
will run script/gen_fuzz.py
.
GEN_FUZZ=1 ./bootstrap
script/gen_fuzz.py
reads the SAPI header file and generates a fuzz target for
each _Prepare
and _Complete
call using similar templates.
For _Prepare
calls the fuzz_fill
function in the fuzzing TCTI will fill each
TPM2 structure used can copy from LLVMFuzzerTestOneInput
's Data
into it.