android-vts tech revelation 1: vts_proto_fuzzer fuzzer

this is my first article of android-vts revelation, I write this due to there is very little article about it, and I want learn all android fuzz tech, let's begin

use of vts_proto_fuzzer fuzzer

vts_proto_fuzzer can work in two models "Hal in binder" and normal, we need provide .vts spec files and target iface as arguments.

Usage:vts_proto_fuzzer <vts flags> -- <libfuzzer flags>
vts_binder_mode: if set, fuzzer will open the HAL in binder mode.
vts_exec_size: number of function calls per 1 run of LLVMFuzzerTestOneInput
vts_spec_dir: -separated list of directories on the target containing .vts spec files.
vts_target_iface: name of interface targeted for fuzz, e.g.  INfc
vts_seed: optional integral argument used to initalize the random number generator
libfuzzer flags (strictly in form -flag=value):
Use -help=1 to see libfuzzer flags

revelate vts_proto_fuzzer kernel technology

vts_proto_fuzzer main module

vts_proto_fuzzer main module include random, mutator, and runner; I will analyse how the modules working

  random = make_unique<Random>(params.seed_);
  mutator = make_unique<ProtoFuzzerMutator>(
      *random.get(), ExtractPredefinedTypes(params.comp_specs_),
      mutator_config);
  runner = make_unique<ProtoFuzzerRunner>(params.comp_specs_);

vts_proto_fuzzer is compiled by clang libfuzzer

in ProtoFuzzerMain.cc we see LLVMFuzzerInitialize, LLVMFuzzerTestOneInput, LLVMFuzzerCustomCrossOver, LLVMFuzzerCustomMutator. I only see and use LLVMFuzzerTestOneInput before read ProtoFuzzerMain.cc, libfuzzer is really a great tool, I will introduce these method in another blog.

extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
...
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
...
}

extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
                                            const uint8_t *data2, size_t size2,
                                            uint8_t *out, size_t max_out_size,
                                            unsigned int seed) {
...
}

extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
                                          size_t max_size, unsigned int seed){
...
}

ProtoFuzzerMutator

Mutator mutate the random number to make fuzzer work

mutator work mode

• Mutates in-place an ExecSpec
• Mutates a FuncSpec.
• Mutates a VarInstance

VarInstance: To specify a function argument or an attribute in general.
ExecSpec: Specifies API call sequence
FuncSpec: To specify a function, member include function name, module name , hidl_interface_id ...