Merge pull request #149 from mingxguo27/mingxguo-fuzzing-mvp

Fuzzing MVP
2020-09-23 23:35:59 +02:00
parent cac713aaed e467026e6f
commit 55c9053baf
5 changed files with 145 additions and 1 deletions
--- a/.github/workflows/cargo_fmt.yml
+++ b/.github/workflows/cargo_fmt.yml
@@ -38,12 +38,18 @@ jobs:
          command: fmt
          args: --all -- --check

+      - name: Cargo format fuzz/
+        uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --manifest-path fuzz/Cargo.toml --all -- --check
+
      - name: Cargo format libraries/cbor
        uses: actions-rs/cargo@v1
        with:
          command: fmt
          args: --manifest-path libraries/cbor/Cargo.toml --all -- --check
-          
+
      - name: Cargo format libraries/cbor/fuzz
        uses: actions-rs/cargo@v1
        with:
--- a/.github/workflows/cargo_fuzz.yml
+++ b/.github/workflows/cargo_fuzz.yml
@@ -0,0 +1,32 @@
+---
+name: Cargo fuzz build
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  build_fuzzing:
+    strategy:
+      matrix:
+        os: [ubuntu-18.04, macos-10.15]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: "true"
+      - uses: actions-rs/toolchain@v1
+        with:
+          target: thumbv7em-none-eabi
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Install Python dependencies
+        run: python -m pip install --upgrade pip setuptools wheel
+      - name: Set up OpenSK
+        run: ./setup.sh
+      - name: Set up fuzzing
+        run: ./fuzzing_setup.sh
+
+      - name: Cargo fuzz build
+        run: cargo fuzz build
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,30 @@
+[package]
+name = "ctap2-fuzz"
+version = "0.0.0"
+authors = ["Automatically generated"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = { version = "0.3"}
+arrayref = "0.3.6"
+libtock_drivers = { path = "../third_party/libtock-drivers" }
+crypto = { path = "../libraries/crypto", features = ['std'] }
+cbor = { path = "../libraries/cbor" }
+
+[dependencies.ctap2]
+path = ".."
+features = ['std', 'ram_storage']
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzz_target_split_assemble"
+path = "fuzz_targets/fuzz_target_split_assemble.rs"
+test = false
+doc = false
--- a/fuzz/fuzz_targets/fuzz_target_split_assemble.rs
+++ b/fuzz/fuzz_targets/fuzz_target_split_assemble.rs
@@ -0,0 +1,53 @@
+#![no_main]
+
+extern crate ctap2;
+extern crate libtock_drivers;
+#[macro_use]
+extern crate arrayref;
+
+use ctap2::ctap::hid::receive::MessageAssembler;
+use ctap2::ctap::hid::send::HidPacketIterator;
+use ctap2::ctap::hid::{HidPacket, Message};
+use libfuzzer_sys::fuzz_target;
+use libtock_drivers::timer::Timestamp;
+
+const DUMMY_TIMESTAMP: Timestamp<isize> = Timestamp::from_ms(0);
+const PACKET_TYPE_MASK: u8 = 0x80;
+
+// Converts a byte slice into Message
+fn raw_to_message(data: &[u8]) -> Message {
+    if data.len() <= 4 {
+        let mut cid = [0; 4];
+        cid[..data.len()].copy_from_slice(data);
+        Message {
+            cid,
+            cmd: 0,
+            payload: vec![],
+        }
+    } else {
+        Message {
+            cid: array_ref!(data, 0, 4).clone(),
+            cmd: data[4],
+            payload: data[5..].to_vec(),
+        }
+    }
+}
+
+/* Fuzzing HID packets splitting and assembling functions*/
+fuzz_target!(|data: &[u8]| {
+    let mut message = raw_to_message(data);
+    if let Some(hid_packet_iterator) = HidPacketIterator::new(message.clone()) {
+        let mut assembler = MessageAssembler::new();
+        let packets: Vec<HidPacket> = hid_packet_iterator.collect();
+        if let Some((last_packet, first_packets)) = packets.split_last() {
+            for packet in first_packets {
+                assert_eq!(assembler.parse_packet(packet, DUMMY_TIMESTAMP), Ok(None));
+            }
+            message.cmd &= !PACKET_TYPE_MASK;
+            assert_eq!(
+                assembler.parse_packet(last_packet, DUMMY_TIMESTAMP),
+                Ok(Some(message))
+            );
+        }
+    }
+});
--- a/fuzzing_setup.sh
+++ b/fuzzing_setup.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Ensure the script doesn't fail on Github workflows
+export TERM=${TERM:-vt100}
+done_text="$(tput bold)DONE.$(tput sgr0)"
+
+set -e
+
+# Install cargo-fuzz library.
+cargo install cargo-fuzz