diff options
author | Muhammad Haseeb Ahmad <mhahmad@google.com> | 2021-12-30 18:23:53 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-12-30 18:23:53 +0000 |
commit | 268d7f757f82e6e706cd4f5dfcb854fc2342b053 (patch) | |
tree | c5880647e8b29782d15be0c99a60e56fed6f8a02 /examples/src/main/java/com/example/ExampleValueProfileFuzzer.java | |
parent | b997679abe998d84ad4b9c3e6589342794d3bfcb (diff) | |
parent | 0f73d9c5add52fa24500a9ddb691528db216e096 (diff) | |
download | jazzer-api-268d7f757f82e6e706cd4f5dfcb854fc2342b053.tar.gz |
Merge remote-tracking branch 'aosp/upstream-main' into master am: 5c6f411699 am: 844d7aba71 am: 0f73d9c5ad
Original change: https://android-review.googlesource.com/c/platform/external/jazzer-api/+/1935188
Change-Id: I0c6c57f25d7b033e469b5f869e4de16f0ec62839
Diffstat (limited to 'examples/src/main/java/com/example/ExampleValueProfileFuzzer.java')
-rw-r--r-- | examples/src/main/java/com/example/ExampleValueProfileFuzzer.java | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java b/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java new file mode 100644 index 00000000..acc023a2 --- /dev/null +++ b/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java @@ -0,0 +1,53 @@ +// Copyright 2021 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; +import java.util.Base64; + +public class ExampleValueProfileFuzzer { + private static String base64(byte[] input) { + return Base64.getEncoder().encodeToString(input); + } + + private static long insecureEncrypt(long input) { + long key = 0xefe4eb93215cb6b0L; + return input ^ key; + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + // Without -use_value_profile=1, the fuzzer gets stuck here as there is no direct correspondence + // between the input bytes and the compared string. With value profile, the fuzzer can guess the + // expected input byte by byte, which takes linear rather than exponential time. + if (base64(data.consumeBytes(6)).equals("SmF6emVy")) { + long[] plaintextBlocks = data.consumeLongs(2); + if (plaintextBlocks.length != 2) + return; + if (insecureEncrypt(plaintextBlocks[0]) == 0x9fc48ee64d3dc090L) { + // Without --fake_pcs (enabled by default with -use_value_profile=1), the fuzzer would get + // stuck here as the value profile information for long comparisons would not be able to + // distinguish between this comparison and the one above. + if (insecureEncrypt(plaintextBlocks[1]) == 0x888a82ff483ad9c2L) { + mustNeverBeCalled(); + } + } + } + } + + private static void mustNeverBeCalled() { + throw new FuzzerSecurityIssueLow("mustNeverBeCalled has been called"); + } +} |