New issue
Advanced search Search tips

Issue 837253 link

Starred by 2 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature

Blocking:
issue 806788
issue 871159



Sign in to add a comment

Add fuzz testing for cryptohome's code on smart card sign-in

Project Member Reported by emaxx@chromium.org, Apr 26 2018

Issue description

The new code added in 806788 (and related) involves quite a bunch of data conversions and parsing. While a significant part of that logic relies on TPM on-chip operations and involves auxiliary machinery for doing them, there are still some self-contained pieces that should benefit from fuzz testing.
 

Comment 1 Deleted

Comment 2 by emaxx@chromium.org, Apr 26 2018

Blocking: 806788

Comment 3 by emaxx@chromium.org, Apr 26 2018

Attaching the Doc on writing fuzz tests in Chrome OS (the old link has expired):
https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md

Comment 4 by emaxx@chromium.org, Apr 26 2018

Cc: apronin@chromium.org mnissler@chromium.org
mnissler@: After spending a bit more thought, I realized that while the TPM2 part of the new code is much easier to fuzz, it's probably of much less interest than the TPM1.2 part. For TPM2, we basically parse a proto, do a couple of simple validations and forward this data to a TPM function. Meanwhile for TPM1.2 the code does a couple of complex raw buffer parsings and transformations.
So my feeling is that we shouldn't spend effort on fuzzer for TPM2, but rather aim at TPM1.2 (which would involve doing a refactoring to make Trousers mockable). WDYT?

Comment 5 by mmoroz@google.com, Apr 27 2018

Cc: metzman@chromium.org
Project Member

Comment 6 by bugdroid1@chromium.org, May 4 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/30cf18d35470033d25bbc56208b456609da9124b

commit 30cf18d35470033d25bbc56208b456609da9124b
Author: Maksim Ivanov <emaxx@google.com>
Date: Fri May 04 04:27:52 2018

cryptohome: Fuzzer for CryptoLib::RsaOaepDecrypt

Add a fuzzer for the CryptoLib::RsaOaepDecrypt() function.

Also add a corpus with several valid inputs and a generator for the
corpus. This is essential because the main input of the tested
function is the RSA encrypted data, and it's unrealistic for the
fuzzer to brute force a valid pair of an RSA key and the encrypted
data.

BUG=chromium:837253
TEST=build and run fuzzer locally

Change-Id: I76667ccda3797bfa72669ea1dd559a818d87b03d
Reviewed-on: https://chromium-review.googlesource.com/1039750
Commit-Ready: Maksim Ivanov <emaxx@chromium.org>
Tested-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>

[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_512.text_foobar.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_2048.text_foobar.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_1024.text_.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_512.text_foobar.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_4096.text_.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_1024.text_.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_512.text_.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_2048.text_.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_1024.text_foobar.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus_generator.sh
[modify] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/cryptohome.gyp
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_1024.text_foobar.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_fuzzer.cc
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_2048.text_.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_4096.text_foobar.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_4096.text_foobar.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_512.text_.label_bazlabel
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_4096.text_.label_
[add] https://crrev.com/30cf18d35470033d25bbc56208b456609da9124b/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_corpus/valid.key_2048.text_foobar.label_bazlabel

Project Member

Comment 7 by bugdroid1@chromium.org, May 5 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e49f3d0875a48d618b9c925e63fa807a0d7bdb02

commit e49f3d0875a48d618b9c925e63fa807a0d7bdb02
Author: Maksim Ivanov <emaxx@google.com>
Date: Sat May 05 03:51:15 2018

cryptohome: EBUILD for fuzzer of CryptoLib::RsaOaepDecrypt

Add installation of the new fuzzer cryptolib_rsa_oaep_decrypt_fuzzer
into the cryptohome's EBUILD.

BUG=chromium:837253
TEST=build package and check that fuzzer runs from chroot
CQ-DEPEND=CL:1039750

Change-Id: I931cf1d0252aa8649c2d3b77178d962b070fe7d8
Reviewed-on: https://chromium-review.googlesource.com/1042311
Tested-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Maksim Ivanov <emaxx@chromium.org>

[rename] https://crrev.com/e49f3d0875a48d618b9c925e63fa807a0d7bdb02/virtual/chromium-os-fuzzers/chromium-os-fuzzers-1-r4.ebuild
[modify] https://crrev.com/e49f3d0875a48d618b9c925e63fa807a0d7bdb02/virtual/chromium-os-fuzzers/chromium-os-fuzzers-1.ebuild
[modify] https://crrev.com/e49f3d0875a48d618b9c925e63fa807a0d7bdb02/chromeos-base/cryptohome/cryptohome-9999.ebuild

Comment 8 by emaxx@chromium.org, May 8 2018

Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, May 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/41b3f4cb8ad715f538e0cc227c0dec32ee1682f0

commit 41b3f4cb8ad715f538e0cc227c0dec32ee1682f0
Author: Maksim Ivanov <emaxx@google.com>
Date: Wed May 09 18:21:35 2018

cryptohome: Suppress logs from fuzzer cryptolib_rsa_oaep_decrypt_fuzzer

Avoid printing garbage logs from the fuzzed code, like decryption
failures.

BUG=chromium:837253
TEST=build and run fuzzer

Change-Id: Id100cb75bbe8429f5c3dbf7c6fa49440d6f54339
Reviewed-on: https://chromium-review.googlesource.com/1049065
Commit-Ready: Maksim Ivanov <emaxx@chromium.org>
Tested-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>

[modify] https://crrev.com/41b3f4cb8ad715f538e0cc227c0dec32ee1682f0/cryptohome/fuzzers/cryptolib_rsa_oaep_decrypt_fuzzer.cc

Components: -Internals
Components: OS>Systems>Security
Blocking: 871159

Sign in to add a comment