-
Notifications
You must be signed in to change notification settings - Fork 364
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
FAPI: Enable usage of AFL Fuzzer for IMA and system events.
* Two unit tests which can be used for fuzzing were added. * Scripts to start AFL fuzzin were added: afl-fuzzing/fuzz-system.sh afl-fuzzing/fuzz-ima.sh * The tests can be started if afl++ is installed. * The tests are not integrated into the CI because of the long run time * If crashes are detected the unit tests can be used for debugging with the crash file in findings-system/crashes or finding-ima/crashes: ./test/unit/fapi-{ima,sysem}-fuzzing <crash-file> Signed-off-by: Juergen Repp <juergen_repp@web.de>
- Loading branch information
1 parent
0817977
commit b8efde2
Showing
6 changed files
with
246 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Usage of AFL Fuzzing for IMA and system events. | ||
|
||
* afl++ has to be be installed. | ||
* AFL Fuzzing can be started with the following scripts: | ||
``` | ||
$ ./afl-fuzzing/fuzz-system.sh | ||
$ ./afl-fuzzing/fuzz-ima.sh | ||
``` | ||
* The results and the files leading to crashes are stored in findings-{ima,system} | ||
* The tests are not integrated into the CI because of the long | ||
run time | ||
* If crashes are detected the unit tests can be used for debugging | ||
with the crash file in findings-system/crashes or finding-ima/crashes: | ||
``` | ||
$ ./test/unit/fapi-{ima,sysem}-fuzzing <crash-file> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/bin/bash | ||
# SPDX-License-Identifier: BSD-2-Clause | ||
#set -x | ||
export srcdir=$(pwd) | ||
|
||
function stop() { | ||
killall afl-fuzz | ||
} | ||
|
||
|
||
trap stop | ||
|
||
mkdir -p afl-fuzzing/ima-sml | ||
for x in sml-ima-ng-sha1.b64 sml-ima-sha1.b64 sml-ima-sha1-invalidated.b64 sml-ima-sig-sha256.b64 sml-ima-sig-sha256-invalidated.b64 | ||
do | ||
base64 -d test/data/fapi/eventlog/$x > afl-fuzzing/ima-sml/${x%.b64}.bin | ||
done | ||
|
||
afl-clang-fast -flto -o fapi-ima-fuzzing test/unit/fapi-ima-fuzzing.c \ | ||
src/tss2-fapi/ifapi_ima_eventlog.c \ | ||
src/tss2-fapi/ifapi_json_deserialize.c \ | ||
src/tss2-fapi/ifapi_json_serialize.c \ | ||
src/tss2-fapi/ifapi_policy_json_deserialize.c \ | ||
src/tss2-fapi/ifapi_policy_json_serialize.c \ | ||
src/tss2-fapi/tpm_json_deserialize.c \ | ||
src/tss2-fapi/tpm_json_serialize.c \ | ||
src/tss2-fapi/ifapi_json_eventlog_serialize.c \ | ||
src/tss2-fapi/fapi_crypto.c \ | ||
src/tss2-fapi/ifapi_eventlog.c \ | ||
src/tss2-fapi/ifapi_helpers.c \ | ||
src/tss2-fapi/ifapi_eventlog_system.c\ | ||
src/tss2-fapi/ifapi_keystore.c \ | ||
src/tss2-fapi/ifapi_io.c \ | ||
src/util/log.c \ | ||
-DHAVE_CONFIG_H -I${srcdir} -I${srcdir}/include -I${srcdir}/src \ | ||
-I${srcdir}/include -I${srcdir}/include/tss2 \ | ||
-I${srcdir}/src/util -I${srcdir}/src/tss2-mu \ | ||
-I${srcdir}/src/tss2-sys -I${srcdir}/src/tss2-esys \ | ||
-I${srcdir}/src/tss2-fapi \ | ||
-I${srcdir}/test/data \ | ||
-Wno-unused-parameter -Wno-missing-field-initializers \ | ||
-lcrypto -ljson-c | ||
|
||
rm -r -f findings-ima | ||
AFL_SKIP_CPUFREQ=1 afl-fuzz -M fuzz0 -iafl-fuzzing/ima-sml/ -ofindings-ima ./fapi-ima-fuzzing @@ & | ||
|
||
if [ ! -z "$1" ]; then | ||
for i in $(seq $1) | ||
do | ||
AFL_SKIP_CPUFREQ=1 afl-fuzz -S fuzz${i} -iafl-fuzzing/ima-sml -ofindings-ima ./fapi-ima-fuzzing @@ > /dev/null & | ||
done | ||
fi | ||
wait | ||
cat findings-ima/fuzz*/fuzzer_stats | grep uniq |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
#!/bin/bash | ||
# SPDX-License-Identifier: BSD-2-Clause | ||
#set -x | ||
export srcdir=$(pwd) | ||
|
||
trap killall afl-fuzz | ||
|
||
mkdir -p afl-fuzzing/system-events | ||
for x in binary_measurements_nuc.b64 binary_measurements_pc_client.b64 | ||
do | ||
base64 -d test/data/fapi/eventlog/$x > afl-fuzzing/system-events/${x%.b64}.bin | ||
done | ||
|
||
afl-clang-fast -flto -o fapi-system-fuzzing \ | ||
test/unit/fapi-system-fuzzing.c \ | ||
src/tss2-fapi/ifapi_json_eventlog_serialize.c \ | ||
src/tss2-fapi/ifapi_ima_eventlog.c \ | ||
src/tss2-fapi/ifapi_eventlog_system.c \ | ||
src/tss2-fapi/ifapi_json_deserialize.c \ | ||
src/tss2-fapi/ifapi_json_serialize.c \ | ||
src/tss2-fapi/ifapi_policy_json_deserialize.c \ | ||
src/tss2-fapi/ifapi_policy_json_serialize.c \ | ||
src/tss2-fapi/tpm_json_deserialize.c \ | ||
src/tss2-fapi/tpm_json_serialize.c \ | ||
src/tss2-fapi/fapi_crypto.c \ | ||
src/tss2-fapi/ifapi_eventlog.c \ | ||
src/tss2-fapi/ifapi_helpers.c\ | ||
src/tss2-fapi/ifapi_keystore.c \ | ||
src/tss2-fapi/ifapi_io.c \ | ||
src/util/log.c \ | ||
-DHAVE_CONFIG_H -I${srcdir} -I${srcdir}/include \ | ||
-I${srcdir}/src -I${srcdir}/include \ | ||
-I${srcdir}/include/tss2 -I${srcdir}/src/util -I${srcdir}/src/tss2-mu \ | ||
-I${srcdir}/src/tss2-sys -I${srcdir}/src/tss2-esys -I${srcdir}/src/tss2-fapi \ | ||
-I${srcdir}/test/data -Wno-unused-parameter -Wno-missing-field-initializers \ | ||
-ljson-c -lcrypto -luuid | ||
|
||
rm -r -f findings-system | ||
AFL_SKIP_CPUFREQ=1 afl-fuzz -M fuzz0 -iafl-fuzzing/system-events/ -ofindings-system ./fapi-system-fuzzing @@ & | ||
|
||
if [ ! -z "$1" ]; then | ||
for i in $(seq $1) | ||
do | ||
AFL_SKIP_CPUFREQ=1 afl-fuzz -S fuzz${i} -iafl-fuzzing/system-events -ofindings-system ./fapi-system-fuzzing @@ > /dev/null & | ||
done | ||
fi | ||
wait | ||
cat findings-system/fuzz*/fuzzer_stats | grep uniq |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
/* SPDX-License-Identifier: BSD-2-Clause */ | ||
#ifdef HAVE_CONFIG_H | ||
#include <config.h> | ||
#endif | ||
|
||
#include <stdarg.h> | ||
#include <inttypes.h> | ||
#include <string.h> | ||
#include <stdlib.h> | ||
#include <stdio.h> | ||
#include <json-c/json_util.h> | ||
#include <json-c/json_tokener.h> | ||
#include <openssl/sha.h> | ||
#include <openssl/evp.h> | ||
|
||
#include <setjmp.h> | ||
#include <cmocka.h> | ||
|
||
#include "tss2_fapi.h" | ||
#include "ifapi_eventlog.h" | ||
#include "ifapi_ima_eventlog.h" | ||
#include "fapi_policy.h" | ||
|
||
#include "util/aux_util.h" | ||
|
||
#define LOGMODULE tests | ||
#include "util/log.h" | ||
|
||
int | ||
main(int argc, char *argv[]) | ||
{ | ||
uint32_t pcr_list[1] = { 10 }; | ||
json_object *json_event_list = NULL; | ||
TSS2_RC r; | ||
|
||
r = ifapi_read_ima_event_log(argv[1], &pcr_list[0], 1, &json_event_list); | ||
UNUSED(r); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
/* SPDX-License-Identifier: BSD-2-Clause */ | ||
#ifdef HAVE_CONFIG_H | ||
#include <config.h> | ||
#endif | ||
|
||
#include <stdarg.h> | ||
#include <inttypes.h> | ||
#include <string.h> | ||
#include <stdlib.h> | ||
#include <stdio.h> | ||
#include <json-c/json_util.h> | ||
#include <json-c/json_tokener.h> | ||
|
||
#include <setjmp.h> | ||
#include <cmocka.h> | ||
|
||
#include "tss2_fapi.h" | ||
#include "tpm_json_serialize.h" | ||
#include "ifapi_json_eventlog_serialize.h" | ||
#include "ifapi_json_eventlog_deserialize.h" | ||
#include "ifapi_eventlog.h" | ||
#include "tpm_json_deserialize.h" | ||
#include "ifapi_json_serialize.h" | ||
#include "ifapi_json_deserialize.h" | ||
#include "fapi_policy.h" | ||
|
||
#include "util/aux_util.h" | ||
|
||
#define LOGMODULE tests | ||
#include "util/log.h" | ||
|
||
int | ||
main(int argc, char *argv[]) | ||
{ | ||
uint32_t pcr_list[9] = { 0, 1, 2, 3, 4, 5, 6, 7, 8 }; | ||
size_t pcr_list_size = 9; | ||
|
||
json_object *json_event_list = NULL; | ||
TSS2_RC r; | ||
|
||
r = ifapi_get_tcg_firmware_event_list(argv[1], pcr_list, pcr_list_size, &json_event_list); | ||
UNUSED(r); | ||
} |