Fuzz tests use libFuzzer to test the SAPI _Prepare and _Complete functions.
Building fuzz tests can be enabled using the --with-fuzzing= option. For which there are two possible values.
libFuzzer tests can be built natively or using the docker fuzzing target.
Build the fuzz tests by setting --with-fuzzing=libfuzzer and statically linking to the fuzzing TCTI.
export GEN_FUZZ=1 ./bootstrap ./configure \ CC=clang \ CXX=clang++ \ --enable-debug \ --with-fuzzing=libfuzzer \ --enable-tcti-fuzzing \ --enable-tcti-device=no \ --enable-tcti-mssim=no \ --with-maxloglevel=none \ --disable-shared make -j $(nproc) check
Run the fuzz tests by executing any binary ending in .fuzz in test/fuzz/.
./test/fuzz/Tss2_Sys_ZGen_2Phase_Prepare.fuzz
Build the fuzz targets and check that they work by building the fuzzing docker target.
docker build --target fuzzing -t tpm2-tss:fuzzing .
Run a fuzz target and mount a directory as a volume into the container where it should store its findings should it produce any.
docker run --rm -ti tpm2-tss:fuzzing \ -v "${PWD}/findings_dir":/artifacts \ ./test/fuzz/Tss2_Sys_PolicyPhysicalPresence_Prepare.fuzz \ -artifact_prefix=/artifacts
OSS fuzz integration can be found under the tpm2-tss project in OSS Fuzz.
The Dockerfile there builds the dependencies. build.sh Runs the compilation as seen under the fuzzing target of the Dockerfile in this repo, only --with-fuzzing=ossfuzz.
Currently only fuzz targets for the System API have been implemented.
The fuzzing TCTI is used as a temporary storage location for the Data and Size arguments of LLVMFuzzerTestOneInput.
For _Complete calls the TCTI uses Data and Size as the response buffer and response size for TSS2_TCTI_RECEIVE.
Fuzz tests are generated via script/gen_fuzz.py.
Setting GEN_FUZZ=1 when running bootstrap will run script/gen_fuzz.py.
GEN_FUZZ=1 ./bootstrap
script/gen_fuzz.py reads the SAPI header file and generates a fuzz target for each _Prepare and _Complete call using similar templates.
For _Prepare calls the fuzz_fill function in the fuzzing TCTI will fill each TPM2 structure used can copy from LLVMFuzzerTestOneInput's Data into it.