diff options
author | Allen Webb <allenwebb@google.com> | 2018-08-21 12:11:38 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-12-03 12:43:22 -0800 |
commit | a5e1a639e55d1c6382b4d690c6b78f6f85e8fbc9 (patch) | |
tree | 04ea72cd9750bc6b3e792550f7fd9515186a3636 /fuzz/cr50_fuzz.proto | |
parent | b343c963b38b03df97a1bc57f201e26640c89e47 (diff) | |
download | chrome-ec-a5e1a639e55d1c6382b4d690c6b78f6f85e8fbc9.tar.gz |
cr50_fuzz: Add libprotobuf-mutator support.
This uses protocol buffers to model what actions can be taken with
pinweaver at a higher level of abstraction than the raw requests to
greatly increase the coverage that can be achieved by fuzzing, while
still allowing for invalid inputs to be checked.
BRANCH=none
BUG=chromium:876582
TEST=sudo emerge libprotobuf-mutator &&
make -j buildfuzztests && ./build/host/cr50_fuzz/cr50_fuzz.exe
Change-Id: Ie7ce569650ca06866f277f36eae61df2684de60c
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1184107
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'fuzz/cr50_fuzz.proto')
-rw-r--r-- | fuzz/cr50_fuzz.proto | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/fuzz/cr50_fuzz.proto b/fuzz/cr50_fuzz.proto new file mode 100644 index 0000000000..0291eacd88 --- /dev/null +++ b/fuzz/cr50_fuzz.proto @@ -0,0 +1,31 @@ +// Copyright 2018 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +syntax = "proto3"; + +package fuzz; + +import public "fuzz/pinweaver/pinweaver.proto"; + +message RandomBytes { + bytes value = 1; +} + +message Cr50SubAction { + // Allows a logical representation of an action (PinWeaver) or a literal + // representation (RandomBytes). The logical representation fills out the + // expected values of particular fields when they are empty or not part of the + // proto so that the fuzzer can reach parts of the code without having to + // brute force an HMAC. The literal representation allows for the fuzzer to + // represent inputs that cannot be represented with the logical + // representation. + oneof sub_action { + RandomBytes random_bytes = 1; + pinweaver.Request pinweaver = 2; + } +} + +message Cr50FuzzerInput { + repeated Cr50SubAction sub_actions = 1; +} |