-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial fuzzing support and fixes #11
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
13c7c2d
Initial fuzzing implementation
szszszsz 3a71ffc
Replace crashing assert with recoverable result
szszszsz e7bc279
Add helper Makefile
szszszsz 5d194d7
Use crash-free flexiber fork
szszszsz 93cfaf2
Handle more unwrap errors
szszszsz 9ead94d
Run fuzzing with low priority
szszszsz b17baf8
Allow to run fuzz-coverage report data digestion separately
szszszsz 552a1d0
Apply review corrections
szszszsz d8392b4
Add missing algorithm value for the Select command
szszszsz 8f37263
Add draft for the forced delay on the failed rev hotp verification
szszszsz 6d66c31
Update flexiber to released tag 0.1.1.nitrokey
szszszsz File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
[package] | ||
name = "oath-authenticator-fuzz" | ||
version = "0.0.0" | ||
publish = false | ||
edition = "2021" | ||
|
||
[package.metadata] | ||
cargo-fuzz = true | ||
|
||
[dependencies] | ||
libfuzzer-sys = "0.4" | ||
apdu-dispatch = { version = "0.1", optional = true } | ||
flexiber = { version = "0.1.0", features = ["derive", "heapless"] } | ||
heapless = "0.7" | ||
heapless-bytes = "0.3" | ||
hex-literal = "0.3" | ||
interchange = "0.2" | ||
iso7816 = "0.1" | ||
serde = { version = "1", default-features = false } | ||
trussed = { version = "0.1.0", features = ["virt", "verbose-tests"] } | ||
ctaphid-dispatch = { version = "0.1", optional = true } | ||
usbd-ctaphid = { git = "https://github.com/Nitrokey/nitrokey-3-firmware", optional = true } | ||
|
||
[dependencies.oath-authenticator] | ||
path = ".." | ||
|
||
[features] | ||
default = ["ctaphid-dispatch", "usbd-ctaphid", "apdu-dispatch"] | ||
|
||
|
||
# Prevent this from interfering with workspaces | ||
[workspace] | ||
members = ["."] | ||
|
||
[profile.release] | ||
debug = 1 | ||
|
||
[[bin]] | ||
name = "fuzz_target_1" | ||
path = "fuzz_targets/fuzz_target_1.rs" | ||
test = false | ||
doc = false | ||
|
||
|
||
[patch.crates-io] | ||
trussed = { git = "https://github.com/trussed-dev/trussed", branch = "main" } | ||
flexiber = { git = "https://github.com/Nitrokey/flexiber", branch = "oath-authenticator" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# Copyright (C) 2022 Nitrokey GmbH | ||
# SPDX-License-Identifier: CC0-1.0 | ||
|
||
FUZZ_DURATION?="0" | ||
FUZZ_JOBS?=$(shell nproc) | ||
.NOTPARALLEL: | ||
|
||
.PHONY: check | ||
check: | ||
reuse lint | ||
|
||
.PHONY: fuzz | ||
fuzz: | ||
nice cargo +nightly fuzz run --jobs ${FUZZ_JOBS} fuzz_target_1 corpus -- -max_total_time=${FUZZ_DURATION} | ||
|
||
.PHONY: fuzz-cov | ||
fuzz-cov: | ||
cargo +nightly fuzz coverage fuzz_target_1 corpus | ||
$(MAKE) fuzz-cov-show | ||
|
||
LLVMCOV=~/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-unknown-linux-gnu/bin/llvm-cov | ||
.PHONY: fuzz-cov-show | ||
fuzz-cov-show: | ||
$(LLVMCOV) show --format=html \ | ||
--instr-profile=coverage/fuzz_target_1/coverage.profdata \ | ||
${CARGO_TARGET_DIR}/x86_64-unknown-linux-gnu/release/fuzz_target_1 \ | ||
> fuzz_coverage.html | ||
|
||
.PHONY: ci | ||
ci: check | ||
|
||
.PHONY: setup | ||
setup: | ||
rustup component add clippy rustfmt && rustup toolchain install nightly | ||
rustup component add llvm-tools-preview | ||
cargo install cargo-tarpaulin cargo-fuzz --profile release | ||
python3 -m pip install reuse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#![no_main] | ||
|
||
use libfuzzer_sys::fuzz_target; | ||
|
||
fuzz_target!(|data: &[u8]| { | ||
trussed::virt::with_ram_client("oath", move |client| { | ||
let mut oath = oath_authenticator::Authenticator::<_>::new(client); | ||
let mut response = heapless::Vec::<u8, { 3 * 1024 }>::new(); | ||
|
||
if let Ok(command) = iso7816::Command::<{ 10 * 255 }>::try_from(&data) { | ||
oath.respond(&command, &mut response).ok(); | ||
} | ||
}) | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we want to be chain multiple commands within one round of fuzzing. Otherwise many code paths can't be explored, for example for authentication, and modification/deletion. You can use
Arbitrary
to get a vec of commands.Also does Oath need authentication for some command? I think it would be very hard for the fuzzer find the correct password so it should probably be in a seed corpus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lib.rs
.While fuzzing is currently shallow due to causes you have mentioned, it already found problems within the binary parser, which I expect will be the only one found here.