android-vts tech revelation 1: vts_proto_fuzzer fuzzer
this is my first article of android-vts revelation, I write this due to there is very little article about it, and I want learn all android fuzz tech, let's begin
use of vts_proto_fuzzer fuzzer
vts_proto_fuzzer can work in two models "Hal in binder" and normal, we need provide .vts spec files and target iface as arguments.
Usage:vts_proto_fuzzer <vts flags> -- <libfuzzer flags>
vts_binder_mode: if set, fuzzer will open the HAL in binder mode.
vts_exec_size: number of function calls per 1 run of LLVMFuzzerTestOneInput
vts_spec_dir: -separated list of directories on the target containing .vts spec files.
vts_target_iface: name of interface targeted for fuzz, e.g. INfc
vts_seed: optional integral argument used to initalize the random number generator
libfuzzer flags (strictly in form -flag=value):
Use -help=1 to see libfuzzer flags
revelate vts_proto_fuzzer kernel technology
vts_proto_fuzzer main module
vts_proto_fuzzer main module include random, mutator, and runner; I will analyse how the modules working
random = make_unique<Random>(params.seed_);
mutator = make_unique<ProtoFuzzerMutator>(
*random.get(), ExtractPredefinedTypes(params.comp_specs_),
mutator_config);
runner = make_unique<ProtoFuzzerRunner>(params.comp_specs_);
vts_proto_fuzzer is compiled by clang libfuzzer
in ProtoFuzzerMain.cc we see LLVMFuzzerInitialize, LLVMFuzzerTestOneInput, LLVMFuzzerCustomCrossOver, LLVMFuzzerCustomMutator. I only see and use LLVMFuzzerTestOneInput before read ProtoFuzzerMain.cc, libfuzzer is really a great tool, I will introduce these method in another blog.
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
...
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
...
}
extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
const uint8_t *data2, size_t size2,
uint8_t *out, size_t max_out_size,
unsigned int seed) {
...
}
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
size_t max_size, unsigned int seed){
...
}
ProtoFuzzerMutator
Mutator mutate the random number to make fuzzer work
mutator work mode
- Mutates in-place an ExecSpec
- Mutates a FuncSpec.
- Mutates a VarInstance
VarInstance: To specify a function argument or an attribute in general.
ExecSpec: Specifies API call sequence
FuncSpec: To specify a function, member include function name, module name , hidl_interface_id ...