FAPI: Enable usage of AFL Fuzzer for IMA and system events.

* Two unit tests which can be used for fuzzing were added. * Scripts to start AFL fuzzin were added: afl-fuzzing/fuzz-system.sh afl-fuzzing/fuzz-ima.sh * The tests can be started if afl++ is installed. * The tests are not integrated into the CI because of the long run time * If crashes are detected the unit tests can be used for debugging with the crash file in findings-system/crashes or finding-ima/crashes: ./test/unit/fapi-{ima,sysem}-fuzzing <crash-file> Signed-off-by: Juergen Repp <juergen_repp@web.de>
tpm2-software · Oct 28, 2022 · b8efde2 · b8efde2
1 parent 0817977
commit b8efde2
Show file tree

Hide file tree

Showing 6 changed files with 246 additions and 0 deletions.
diff --git a/Makefile-test.am b/Makefile-test.am
@@ -941,6 +941,53 @@ test_unit_fapi_check_ima_log_SOURCES = test/unit/fapi-check-ima-log.c \
                                   src/tss2-fapi/ifapi_eventlog_system.c\
                                   src/tss2-fapi/ifapi_keystore.c  \
                                   src/tss2-fapi/ifapi_io.c
+
+test_unit_fapi_ima_fuzzing_CFLAGS = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
+test_unit_fapi_ima_fuzzing_CXXFLAGS = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
+test_unit_fapi_ima_fuzzing_LDADD = $(CMOCKA_LIBS)  $(TESTS_LDADD)
+test_unit_fapi_ima_fuzzing_LDFLAGS = $(TESTS_LDFLAGS) $(JSONC_LIBS) $(CURL_LIBS) $(UUID_LIBS)
+
+test_unit_fapi_ima_fuzzing_SOURCES = test/unit/fapi-ima-fuzzing.c \
+                         src/tss2-fapi/ifapi_ima_eventlog.c \
+                         src/tss2-fapi/ifapi_json_deserialize.c \
+                         src/tss2-fapi/ifapi_json_serialize.c \
+                         src/tss2-fapi/ifapi_policy_json_deserialize.c \
+                         src/tss2-fapi/ifapi_policy_json_serialize.c \
+                         src/tss2-fapi/tpm_json_deserialize.c \
+                         src/tss2-fapi/tpm_json_serialize.c \
+                         src/tss2-fapi/ifapi_json_eventlog_serialize.c \
+                         src/tss2-fapi/fapi_crypto.c \
+                         src/tss2-fapi/ifapi_eventlog.c \
+                         src/tss2-fapi/ifapi_helpers.c \
+                         src/tss2-fapi/ifapi_eventlog_system.c\
+                         src/tss2-fapi/ifapi_keystore.c  \
+                         src/tss2-fapi/ifapi_io.c
+
+noinst_PROGRAMS += test/unit/fapi-ima-fuzzing
+
+test_unit_fapi_system_fuzzing_CFLAGS = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
+test_unit_fapi_system_fuzzing_CXXFLAGS = $(CMOCKA_CFLAGS) $(TESTS_CFLAGS)
+test_unit_fapi_system_fuzzing_LDADD = $(CMOCKA_LIBS)  $(TESTS_LDADD)
+test_unit_fapi_system_fuzzing_LDFLAGS = $(TESTS_LDFLAGS) $(JSONC_LIBS) $(CURL_LIBS) $(UUID_LIBS)
+
+test_unit_fapi_system_fuzzing_SOURCES = test/unit/fapi-system-fuzzing.c \
+                          src/tss2-fapi/ifapi_json_eventlog_serialize.c \
+                          src/tss2-fapi/ifapi_ima_eventlog.c \
+                          src/tss2-fapi/ifapi_eventlog_system.c \
+                          src/tss2-fapi/ifapi_json_deserialize.c \
+                          src/tss2-fapi/ifapi_json_serialize.c \
+                          src/tss2-fapi/ifapi_policy_json_deserialize.c \
+                          src/tss2-fapi/ifapi_policy_json_serialize.c \
+                          src/tss2-fapi/tpm_json_deserialize.c \
+                          src/tss2-fapi/tpm_json_serialize.c \
+                          src/tss2-fapi/fapi_crypto.c \
+                          src/tss2-fapi/ifapi_eventlog.c \
+                          src/tss2-fapi/ifapi_helpers.c\
+                          src/tss2-fapi/ifapi_keystore.c  \
+                          src/tss2-fapi/ifapi_io.c
+
+noinst_PROGRAMS += test/unit/fapi-system-fuzzing
+
 endif # FAPI
 
 if POLICY

diff --git a/afl-fuzzing/README.md b/afl-fuzzing/README.md
@@ -0,0 +1,16 @@
+ # Usage of AFL Fuzzing for IMA and system events.
+
+* afl++ has to be be installed.
+* AFL Fuzzing can be started with the following scripts:
+  ```
+  $ ./afl-fuzzing/fuzz-system.sh
+  $ ./afl-fuzzing/fuzz-ima.sh
+  ```
+* The results and the files leading to crashes are stored in findings-{ima,system}
+* The tests are not integrated into the CI because of the long
+  run time
+* If crashes are detected the unit tests can be used for debugging
+  with the crash file in findings-system/crashes or finding-ima/crashes:
+  ```
+  $ ./test/unit/fapi-{ima,sysem}-fuzzing <crash-file>
+  ```
diff --git a/afl-fuzzing/fuzz-ima.sh b/afl-fuzzing/fuzz-ima.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-License-Identifier: BSD-2-Clause
+#set -x
+export srcdir=$(pwd)
+
+function stop() {
+    killall afl-fuzz
+    }
+
+
+trap stop
+
+mkdir -p afl-fuzzing/ima-sml
+for x in sml-ima-ng-sha1.b64  sml-ima-sha1.b64  sml-ima-sha1-invalidated.b64  sml-ima-sig-sha256.b64  sml-ima-sig-sha256-invalidated.b64
+do
+    base64 -d test/data/fapi/eventlog/$x > afl-fuzzing/ima-sml/${x%.b64}.bin
+done
+
+afl-clang-fast -flto -o fapi-ima-fuzzing test/unit/fapi-ima-fuzzing.c \
+               src/tss2-fapi/ifapi_ima_eventlog.c \
+               src/tss2-fapi/ifapi_json_deserialize.c \
+               src/tss2-fapi/ifapi_json_serialize.c \
+               src/tss2-fapi/ifapi_policy_json_deserialize.c \
+               src/tss2-fapi/ifapi_policy_json_serialize.c \
+               src/tss2-fapi/tpm_json_deserialize.c \
+               src/tss2-fapi/tpm_json_serialize.c \
+               src/tss2-fapi/ifapi_json_eventlog_serialize.c \
+               src/tss2-fapi/fapi_crypto.c \
+               src/tss2-fapi/ifapi_eventlog.c \
+               src/tss2-fapi/ifapi_helpers.c \
+               src/tss2-fapi/ifapi_eventlog_system.c\
+               src/tss2-fapi/ifapi_keystore.c  \
+               src/tss2-fapi/ifapi_io.c \
+               src/util/log.c \
+               -DHAVE_CONFIG_H -I${srcdir} -I${srcdir}/include -I${srcdir}/src \
+               -I${srcdir}/include -I${srcdir}/include/tss2 \
+               -I${srcdir}/src/util -I${srcdir}/src/tss2-mu \
+               -I${srcdir}/src/tss2-sys -I${srcdir}/src/tss2-esys \
+               -I${srcdir}/src/tss2-fapi \
+               -I${srcdir}/test/data \
+               -Wno-unused-parameter -Wno-missing-field-initializers \
+               -lcrypto -ljson-c
+
+rm -r -f findings-ima
+AFL_SKIP_CPUFREQ=1 afl-fuzz -M fuzz0 -iafl-fuzzing/ima-sml/ -ofindings-ima ./fapi-ima-fuzzing @@ &
+
+if [ ! -z "$1" ]; then
+    for i in $(seq $1)
+    do
+        AFL_SKIP_CPUFREQ=1 afl-fuzz -S fuzz${i} -iafl-fuzzing/ima-sml -ofindings-ima ./fapi-ima-fuzzing @@ > /dev/null &
+    done
+fi
+wait
+cat findings-ima/fuzz*/fuzzer_stats | grep uniq
diff --git a/afl-fuzzing/fuzz-system.sh b/afl-fuzzing/fuzz-system.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# SPDX-License-Identifier: BSD-2-Clause
+#set -x
+export srcdir=$(pwd)
+
+trap killall afl-fuzz
+
+mkdir -p afl-fuzzing/system-events
+for x in binary_measurements_nuc.b64  binary_measurements_pc_client.b64
+do
+    base64 -d test/data/fapi/eventlog/$x > afl-fuzzing/system-events/${x%.b64}.bin
+done
+
+afl-clang-fast -flto -o fapi-system-fuzzing \
+               test/unit/fapi-system-fuzzing.c \
+               src/tss2-fapi/ifapi_json_eventlog_serialize.c \
+               src/tss2-fapi/ifapi_ima_eventlog.c \
+               src/tss2-fapi/ifapi_eventlog_system.c \
+               src/tss2-fapi/ifapi_json_deserialize.c \
+               src/tss2-fapi/ifapi_json_serialize.c \
+               src/tss2-fapi/ifapi_policy_json_deserialize.c \
+               src/tss2-fapi/ifapi_policy_json_serialize.c \
+               src/tss2-fapi/tpm_json_deserialize.c \
+               src/tss2-fapi/tpm_json_serialize.c \
+               src/tss2-fapi/fapi_crypto.c \
+               src/tss2-fapi/ifapi_eventlog.c \
+               src/tss2-fapi/ifapi_helpers.c\
+               src/tss2-fapi/ifapi_keystore.c  \
+               src/tss2-fapi/ifapi_io.c \
+               src/util/log.c \
+               -DHAVE_CONFIG_H -I${srcdir} -I${srcdir}/include \
+               -I${srcdir}/src -I${srcdir}/include \
+               -I${srcdir}/include/tss2   -I${srcdir}/src/util -I${srcdir}/src/tss2-mu \
+               -I${srcdir}/src/tss2-sys -I${srcdir}/src/tss2-esys -I${srcdir}/src/tss2-fapi \
+               -I${srcdir}/test/data -Wno-unused-parameter -Wno-missing-field-initializers \
+               -ljson-c -lcrypto -luuid
+
+rm -r -f findings-system
+AFL_SKIP_CPUFREQ=1 afl-fuzz -M fuzz0 -iafl-fuzzing/system-events/ -ofindings-system ./fapi-system-fuzzing @@ &
+
+if [ ! -z "$1" ]; then
+    for i in $(seq $1)
+    do
+        AFL_SKIP_CPUFREQ=1 afl-fuzz -S fuzz${i} -iafl-fuzzing/system-events -ofindings-system ./fapi-system-fuzzing @@ > /dev/null &
+    done
+fi
+wait
+cat findings-system/fuzz*/fuzzer_stats | grep uniq
diff --git a/test/unit/fapi-ima-fuzzing.c b/test/unit/fapi-ima-fuzzing.c
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdarg.h>
+#include <inttypes.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <json-c/json_util.h>
+#include <json-c/json_tokener.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "tss2_fapi.h"
+#include "ifapi_eventlog.h"
+#include "ifapi_ima_eventlog.h"
+#include "fapi_policy.h"
+
+#include "util/aux_util.h"
+
+#define LOGMODULE tests
+#include "util/log.h"
+
+int
+main(int argc, char *argv[])
+{
+    uint32_t pcr_list[1] = { 10 };
+    json_object *json_event_list = NULL;
+    TSS2_RC r;
+
+    r = ifapi_read_ima_event_log(argv[1], &pcr_list[0], 1, &json_event_list);
+    UNUSED(r);
+}
diff --git a/test/unit/fapi-system-fuzzing.c b/test/unit/fapi-system-fuzzing.c
@@ -0,0 +1,43 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdarg.h>
+#include <inttypes.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <json-c/json_util.h>
+#include <json-c/json_tokener.h>
+
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "tss2_fapi.h"
+#include "tpm_json_serialize.h"
+#include "ifapi_json_eventlog_serialize.h"
+#include "ifapi_json_eventlog_deserialize.h"
+#include "ifapi_eventlog.h"
+#include "tpm_json_deserialize.h"
+#include "ifapi_json_serialize.h"
+#include "ifapi_json_deserialize.h"
+#include "fapi_policy.h"
+
+#include "util/aux_util.h"
+
+#define LOGMODULE tests
+#include "util/log.h"
+
+int
+main(int argc, char *argv[])
+{
+    uint32_t pcr_list[9] = { 0, 1, 2, 3, 4, 5, 6, 7, 8 };
+    size_t pcr_list_size = 9;
+
+    json_object *json_event_list = NULL;
+    TSS2_RC r;
+
+    r = ifapi_get_tcg_firmware_event_list(argv[1], pcr_list, pcr_list_size, &json_event_list);
+    UNUSED(r);
+}