Add fuzz tests for the automotive example

kyakdan · kyakdan · commit 40c1dde50e91 · 2023-12-17T17:16:31.000+01:00
diff --git a/src/automotive/CMakeLists.txt b/src/automotive/CMakeLists.txt
@@ -11,4 +11,13 @@ target_include_directories(automotive PUBLIC
     ${CMAKE_CURRENT_SOURCE_DIR}/gps
     ${CMAKE_CURRENT_SOURCE_DIR}/key_management
     ${CMAKE_CURRENT_SOURCE_DIR}/time
-)
+)
+
+add_fuzz_test(automotive_fuzzer
+    fuzz_test.cpp
+    mocks.cpp
+)
+
+target_link_libraries(automotive_fuzzer
+    automotive
+)
diff --git a/src/automotive/fuzz_test.cpp b/src/automotive/fuzz_test.cpp
@@ -0,0 +1,209 @@
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <cifuzz/cifuzz.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "crypto_1.h"
+#include "crypto_2.h"
+#include "gps_1.h"
+#include "key_management_1.h"
+#include "time_1.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+void SetFDP(FuzzedDataProvider *fuzzed_data_provider);
+FuzzedDataProvider *GetFDP();
+void ConsumeDataAndFillRestWithZeros(void *destination, size_t num_bytes);
+
+FUZZ_TEST_SETUP() {}
+
+FUZZ_TEST(const uint8_t *data, size_t size) {
+
+  // Ensure a minimum data length
+  if (size < 100)
+    return;
+
+  // Setup FuzzedDataProvider and initialize the mocklib
+  FuzzedDataProvider fdp(data, size);
+  SetFDP(&fdp);
+
+  int number_of_functions = GetFDP()->ConsumeIntegralInRange<int>(1, 100);
+  for (int i = 0; i < number_of_functions; i++) {
+    int function_id = GetFDP()->ConsumeIntegralInRange<int>(0, 15);
+    switch (function_id) {
+
+    case 0: {
+      crypto_get_state();
+      break;
+    }
+
+    case 1: {
+      get_destination_position();
+      break;
+    }
+
+    case 2: {
+      crypto_key key = {};
+      ConsumeDataAndFillRestWithZeros(key.key, 64);
+
+      crypto_verify_key(key);
+      break;
+    }
+
+    case 3: {
+      current_time();
+      break;
+    }
+
+    case 4: {
+      crypto_nonce nonce_tmp = {};
+      ConsumeDataAndFillRestWithZeros(nonce_tmp.nonce, 64);
+      nonce_tmp.time_of_creation = GetFDP()->ConsumeIntegral<int>();
+      crypto_nonce *nonce = &nonce_tmp;
+
+      crypto_verify_nonce(nonce);
+      break;
+    }
+
+    case 5: {
+      std::vector<uint8_t> message_vec = GetFDP()->ConsumeBytes<uint8_t>(
+          sizeof(uint8_t) * GetFDP()->ConsumeIntegral<uint16_t>());
+      const uint8_t *message = (const uint8_t *)message_vec.data();
+
+      // The parameter "len" seems to represent the length of a buffer/array. In
+      // this case, we usually don't want to provide fuzzer-generated lengths
+      // that differ from the actual length of the buffer. If you confirm that
+      // the parameter is a length parameter, you can get the length of the
+      // fuzzer-generated buffer as follows (replace "buffer" with the actual
+      // variable):
+      //     int len = buffer.size();
+      int len = message_vec.size();
+      crypto_hmac hmac_tmp = {};
+      ConsumeDataAndFillRestWithZeros(hmac_tmp.hmac, 64);
+      crypto_hmac *hmac = &hmac_tmp;
+
+      crypto_verify_hmac(message, len, hmac);
+      break;
+    }
+
+    case 6: {
+      crypto_nonce nonce = {};
+      ConsumeDataAndFillRestWithZeros(nonce.nonce, 64);
+      nonce.time_of_creation = GetFDP()->ConsumeIntegral<int>();
+
+      crypto_set_nonce(nonce);
+      break;
+    }
+
+    case 7: {
+      std::vector<uint8_t> message_vec = GetFDP()->ConsumeBytes<uint8_t>(
+          sizeof(uint8_t) * GetFDP()->ConsumeIntegral<uint16_t>());
+      const uint8_t *message = (const uint8_t *)message_vec.data();
+
+      // The parameter "len" seems to represent the length of a buffer/array. In
+      // this case, we usually don't want to provide fuzzer-generated lengths
+      // that differ from the actual length of the buffer. If you confirm that
+      // the parameter is a length parameter, you can get the length of the
+      // fuzzer-generated buffer as follows (replace "buffer" with the actual
+      // variable):
+      //     int len = buffer.size();
+      int len = message_vec.size();
+      crypto_hmac hmac_tmp = {};
+      ConsumeDataAndFillRestWithZeros(hmac_tmp.hmac, 64);
+      crypto_hmac *hmac = &hmac_tmp;
+
+      crypto_calculate_hmac(message, len, hmac);
+      break;
+    }
+
+    case 8: {
+      GPS_position position = {};
+      position.longitude_degree = GetFDP()->ConsumeIntegral<uint8_t>();
+      position.longitude_minute = GetFDP()->ConsumeIntegral<uint8_t>();
+      position.longitude_second = GetFDP()->ConsumeIntegral<uint8_t>();
+      position.latitude_degree = GetFDP()->ConsumeIntegral<uint8_t>();
+      position.latitude_minute = GetFDP()->ConsumeIntegral<uint8_t>();
+      position.latitude_second = GetFDP()->ConsumeIntegral<uint8_t>();
+
+      set_destination_postition(position);
+      break;
+    }
+
+    case 9: {
+      crypto_key key = {};
+      ConsumeDataAndFillRestWithZeros(key.key, 64);
+
+      crypto_set_key(key);
+      break;
+    }
+
+    case 10: {
+      GPS_position position_tmp = {};
+      position_tmp.longitude_degree = GetFDP()->ConsumeIntegral<uint8_t>();
+      position_tmp.longitude_minute = GetFDP()->ConsumeIntegral<uint8_t>();
+      position_tmp.longitude_second = GetFDP()->ConsumeIntegral<uint8_t>();
+      position_tmp.latitude_degree = GetFDP()->ConsumeIntegral<uint8_t>();
+      position_tmp.latitude_minute = GetFDP()->ConsumeIntegral<uint8_t>();
+      position_tmp.latitude_second = GetFDP()->ConsumeIntegral<uint8_t>();
+      GPS_position *position = &position_tmp;
+
+      get_current_position(position);
+      break;
+    }
+
+    case 11: {
+      init_crypto_module();
+      break;
+    }
+
+    case 12: {
+      std::vector<uint8_t> key_vec = GetFDP()->ConsumeBytes<uint8_t>(
+          sizeof(uint8_t) * GetFDP()->ConsumeIntegral<uint16_t>());
+      uint8_t *key = (uint8_t *)key_vec.data();
+
+      // The parameter "length" seems to represent the length of a buffer/array.
+      // In this case, we usually don't want to provide fuzzer-generated lengths
+      // that differ from the actual length of the buffer. If you confirm that
+      // the parameter is a length parameter, you can get the length of the
+      // fuzzer-generated buffer as follows (replace "buffer" with the actual
+      // variable):
+      //     uint8_t length = buffer.size();
+      uint8_t length = key_vec.size();
+
+      key_management_create_key(key, length);
+      break;
+    }
+
+    case 13: {
+      std::vector<uint8_t> nonce_vec = GetFDP()->ConsumeBytes<uint8_t>(
+          sizeof(uint8_t) * GetFDP()->ConsumeIntegral<uint16_t>());
+      uint8_t *nonce = (uint8_t *)nonce_vec.data();
+
+      // The parameter "length" seems to represent the length of a buffer/array.
+      // In this case, we usually don't want to provide fuzzer-generated lengths
+      // that differ from the actual length of the buffer. If you confirm that
+      // the parameter is a length parameter, you can get the length of the
+      // fuzzer-generated buffer as follows (replace "buffer" with the actual
+      // variable):
+      //     uint8_t length = buffer.size();
+      uint8_t length = nonce_vec.size();
+
+      key_management_create_nonce(nonce, length);
+      break;
+    }
+
+    case 14: {
+      crypto_init();
+      break;
+    }
+    }
+  }
+}
diff --git a/src/automotive/mocks.cpp b/src/automotive/mocks.cpp
@@ -0,0 +1,83 @@
+
+#include <cstdint>
+#include <iomanip>
+#include <iostream>
+#include <vector>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "crypto_1.h"
+#include "gps_1.h"
+#include "key_management_1.h"
+#include "time_1.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+static FuzzedDataProvider *gFDP;
+
+// This function received the fuzzer generated data from the fuzz target.
+// It needs to be called at the beginning of the LLVMFuzzerTestOneInput
+// function.
+void SetFDP(FuzzedDataProvider *fuzzed_data_provider) {
+  gFDP = fuzzed_data_provider;
+}
+
+FuzzedDataProvider *GetFDP() { return gFDP; }
+
+// Wrapper function for FuzzedDataProvider.h
+// Writes |num_bytes| of input data to the given destination pointer. If there
+// is not enough data left, writes all remaining bytes and fills the rest with
+// zeros. Return value is the number of bytes written.
+void ConsumeDataAndFillRestWithZeros(void *destination, size_t num_bytes) {
+  if (destination != nullptr) {
+    size_t num_consumed_bytes = GetFDP()->ConsumeData(destination, num_bytes);
+    if (num_bytes > num_consumed_bytes) {
+      size_t num_zero_bytes = num_bytes - num_consumed_bytes;
+      std::memset((char *)destination + num_consumed_bytes, 0, num_zero_bytes);
+    }
+  }
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int driver_get_current_time() {
+  int cifuzz_var_0 = GetFDP()->ConsumeIntegral<int>();
+  return cifuzz_var_0;
+}
+
+uint8_t GPS_driver_obtain_current_position(uint8_t *position_as_bytes,
+                                           uint8_t *hmac_as_bytes) {
+  unsigned int position_as_bytes_length = 12;
+  ConsumeDataAndFillRestWithZeros((void *)position_as_bytes,
+                                  position_as_bytes_length);
+  unsigned int hmac_as_bytes_length = 64;
+  ConsumeDataAndFillRestWithZeros((void *)hmac_as_bytes, hmac_as_bytes_length);
+  uint8_t cifuzz_var_1 = GetFDP()->ConsumeIntegral<uint8_t>();
+  return cifuzz_var_1;
+}
+
+uint8_t HSM_get_random_byte() {
+  uint8_t cifuzz_var_2 = GetFDP()->ConsumeIntegral<uint8_t>();
+  return cifuzz_var_2;
+}
+
+uint8_t third_party_library_calc_hmac(const uint8_t *message, int len,
+                                      const char *key, const char *nonce,
+                                      uint8_t *hmac) {
+  unsigned int hmac_length = 64;
+  ConsumeDataAndFillRestWithZeros((void *)hmac, hmac_length);
+  uint8_t cifuzz_var_3 = GetFDP()->ConsumeIntegral<uint8_t>();
+  return cifuzz_var_3;
+}
+
+#ifdef __cplusplus
+}
+#endif
