flutter>> vsomeip-fuzzing>> 返回
项目作者: cfanatic

项目描述 :
Fuzz testing suite for the GENIVI/vsomeip library
高级语言: C++
项目地址: git://github.com/cfanatic/vsomeip-fuzzing.git
创建时间: 2020-07-09T08:05:30Z
项目社区:https://github.com/cfanatic/vsomeip-fuzzing
开源协议:MIT License
下载


vsomeip-fuzzing

This repository hosts a fuzzing environment for a SOME/IP implementation developed by BMW AG.

In the automotive industry, the SOME/IP protocol is used for Ethernet-based communication. It will gain in popularity in the future, since self-driving cars record large amounts of data which needs to be transmitted among sensors, actuators and control units in real-time. A robust protocol implementation is key for secure and safe vehicle operation.

Following targets are implemented on respective branches:

According to Wikipedia:

Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

Requirements

Developed and tested on the following setup:

  • macOS 10.15.5
  • vsomeip 3.1.14
  • boost 1.65.1
  • docker 2.3.0.3

Setup

Build the vsomeip library and the fuzzing target:

  1. docker build -t vsomeip-fuzzing .

Run a detached container:

  1. docker run -t -d --name vsomeip-fuzz vsomeip-fuzzing bash

Fuzzing

Perform a fuzz session for 10 seconds:

  1. docker exec -it vsomeip-fuzz ../misc/runtime.sh -fuzz 10

Create a coverage report of the fuzz session:

  1. docker exec -it vsomeip-fuzz ../misc/runtime.sh -report
  2. docker cp vsomeip-fuzz:/src/vsomeip-fuzzing/build/afl_output .

Open afl_output/cov/web/src/vsomeip-fuzzing/index.html, and review the coverage results.

Instrumentation

You might want to make sure that AFL++ catches crashes in the vsomeip library prior to long fuzzing sessions.
You can add following code to vsomeip/implementation/logger/src/message.cpp which causes a null pointer exception whenever the fuzzed payload in buffer_ is equal to one of the items in vector v:

  1. #ifdef CRASH_LIBRARY
  2. if (level_ == level_e::LL_FATAL) {
  3.     std::vector<std::string> v = {"Hello", "hullo", "hell"};
  4.     if (std::find(v.begin(), v.end(), buffer_.data_.str()) != v.end()) {
  5.         *(int *)0 = 0; // crash: null pointers cannot be dereferenced to a value
  6.     }
  7. }
  8. #endif
  9. `

The crash can be triggered by inserting the fuzzed payload to the << operator of VSOMEIP_FATAL somewhere in fuzzing.cpp:

  1. #ifdef CRASH_LIBRARY
  2. VSOMEIP_FATAL << str_payload;
  3. #endif