diff options
author | Fabian Meumertzheim <fabian@meumertzhe.im> | 2022-08-15 16:37:51 +0200 |
---|---|---|
committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2022-08-19 14:28:35 +0200 |
commit | de57b39db8ed362fe2e93100de74597b453eeb02 (patch) | |
tree | 637b94ba867f1dc4aa2e326c15b44327f6a649d4 | |
parent | 16b8e6bc5ac3b47e930c0d37b3ec7461ae21ee1e (diff) | |
download | jazzer-api-de57b39db8ed362fe2e93100de74597b453eeb02.tar.gz |
tests: Verify that value profiling works in native libraries
-rw-r--r-- | tests/BUILD.bazel | 19 | ||||
-rw-r--r-- | tests/src/test/java/com/example/NativeValueProfileFuzzer.java | 38 | ||||
-rw-r--r-- | tests/src/test/native/com/example/BUILD.bazel | 15 | ||||
-rw-r--r-- | tests/src/test/native/com/example/native_value_profile_fuzzer.cpp | 35 |
4 files changed, 107 insertions, 0 deletions
diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel index c32d0b6a..cc0814e9 100644 --- a/tests/BUILD.bazel +++ b/tests/BUILD.bazel @@ -1,3 +1,4 @@ +load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") @@ -237,3 +238,21 @@ java_fuzz_target_test( ], target_class = "com.example.NoSeedFuzzer", ) + +java_jni_library( + name = "native_value_profile_fuzzer", + srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"], + native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"], + visibility = ["//tests/src/test/native/com/example:__pkg__"], + deps = ["//agent:jazzer_api_compile_only"], +) + +java_fuzz_target_test( + name = "NativeValueProfileFuzzer", + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = ["-use_value_profile=1"], + sanitizer = "address", + target_class = "com.example.NativeValueProfileFuzzer", + verify_crash_reproducer = False, + runtime_deps = [":native_value_profile_fuzzer"], +) diff --git a/tests/src/test/java/com/example/NativeValueProfileFuzzer.java b/tests/src/test/java/com/example/NativeValueProfileFuzzer.java new file mode 100644 index 00000000..1085a953 --- /dev/null +++ b/tests/src/test/java/com/example/NativeValueProfileFuzzer.java @@ -0,0 +1,38 @@ +/* + * Copyright 2022 Code Intelligence GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.example; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; +import com.github.fmeum.rules_jni.RulesJni; + +public class NativeValueProfileFuzzer { + public static void fuzzerInitialize() { + RulesJni.loadLibrary("native_value_profile_fuzzer", NativeValueProfileFuzzer.class); + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + long[] blocks = data.consumeLongs(2); + if (blocks.length != 2) + return; + if (checkAccess(blocks[0], blocks[1])) { + throw new FuzzerSecurityIssueLow("Security breached"); + } + } + + private static native boolean checkAccess(long block1, long block2); +} diff --git a/tests/src/test/native/com/example/BUILD.bazel b/tests/src/test/native/com/example/BUILD.bazel new file mode 100644 index 00000000..cce29a07 --- /dev/null +++ b/tests/src/test/native/com/example/BUILD.bazel @@ -0,0 +1,15 @@ +load("@fmeum_rules_jni//jni:defs.bzl", "cc_jni_library") + +cc_jni_library( + name = "native_value_profile_fuzzer", + srcs = ["native_value_profile_fuzzer.cpp"], + copts = [ + "-fsanitize=fuzzer-no-link", + ], + linkopts = select({ + "//:clang_on_linux": ["-fuse-ld=lld"], + "//conditions:default": [], + }), + visibility = ["//tests:__pkg__"], + deps = ["//tests:native_value_profile_fuzzer.hdrs"], +) diff --git a/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp b/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp new file mode 100644 index 00000000..2edcc269 --- /dev/null +++ b/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp @@ -0,0 +1,35 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <cstdint> +#include <cstring> + +#include "com_example_NativeValueProfileFuzzer.h" + +// Prevent the compiler from inlining the secret all the way into checkAccess, +// which would make it trivial for the fuzzer to pass the checks. +volatile uint64_t secret = 0xefe4eb93215cb6b0L; + +static uint64_t insecureEncrypt(uint64_t input) { return input ^ secret; } + +jboolean Java_com_example_NativeValueProfileFuzzer_checkAccess(JNIEnv *, jclass, + jlong block1, + jlong block2) { + if (insecureEncrypt(block1) == 0x9fc48ee64d3dc090L) { + if (insecureEncrypt(block2) == 0x888a82ff483ad9c2L) { + return true; + } + } + return false; +} |