One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8376312 |
| Date de publication | 2023-08-29 12:06:35 (vue: 2023-08-29 17:06:19) |
| Titre | Android se lance à fond dans le Fuzzing Android Goes All-in on Fuzzing |
| Texte | Posted by Jon Bottarini and Hamzeh Zawawy, Android Security
Fuzzing is an effective technique for finding software vulnerabilities. Over the past few years Android has been focused on improving the effectiveness, scope, and convenience of fuzzing across the organization. This effort has directly resulted in improved test coverage, fewer security/stability bugs, and higher code quality. Our implementation of continuous fuzzing allows software teams to find new bugs/vulnerabilities, and prevent regressions automatically without having to manually initiate fuzzing runs themselves. This post recounts a brief history of fuzzing on Android, shares how Google performs fuzzing at scale, and documents our experience, challenges, and success in building an infrastructure for automating fuzzing across Android. If you\'re interested in contributing to fuzzing on Android, we\'ve included instructions on how to get started, and information on how Android\'s VRP rewards fuzzing contributions that find vulnerabilities.
A Brief History of Android Fuzzing
Fuzzing has been around for many years, and Android was among the early large software projects to automate fuzzing and prioritize it similarly to unit testing as part of the broader goal to make Android the most secure and stable operating system. In 2019 Android kicked off the fuzzing project, with the goal to help institutionalize fuzzing by making it seamless and part of code submission. The Android fuzzing project resulted in an infrastructure consisting of Pixel phones and Google cloud based virtual devices that enabled scalable fuzzing capabilities across the entire Android ecosystem. This project has since grown to become the official internal fuzzing infrastructure for Android and performs thousands of fuzzing hours per day across hundreds of fuzzers.
Under the Hood: How Is Android Fuzzed
Step 1: Define and find all the fuzzers in Android repo
The first step is to integrate fuzzing into the Android build system (Soong) to enable build fuzzer binaries. While developers are busy adding features to their codebase, they can include a fuzzer to fuzz their code and submit the fuzzer alongside the code they have developed. Android Fuzzing uses a build rule called cc_fuzz (see example below). cc_fuzz (we also support rust_fuzz and java_fuzz) defines a Soong module with source file(s) and dependencies that can be built into a binary.
cc_fuzz {
name: "fuzzer_foo",
srcs: [
"fuzzer_foo.cpp",
],
static_libs: [
"libfoo",
],
host_supported: true,
}
A packaging rule in Soong finds all of these cc_fuzz definitions and builds them automatically. The actual fuzzer structure itself is very simple and consists of one main method (LLVMTestOneInput):
#include
#include
extern "C" int LLVMFuzzerTestOneInput(
const uint8_t *data,
size_t size) {
// Here you invoke the code to be fuzzed.
return 0;
}
This fuzzer gets automatically built into a binary and along with its static/dynamic dependencies (as specified in the Android build file) are pack |
| Envoyé | Oui |
| Condensat | #3829 #413 #include *data 0x5610921000 0x5610921305 0x5610921308 0x5610924358 1/1b 2/9b 2019 2022 2023 20473 21041 24mb 2859304549 3/17b 4096 773 8/8 about access: according accordingly across actual added adding addition additional additions addressed adds affected after against aggregate ago alerts all allows alone along alongside also always among amount android another any anything aosp applied are area areas around assessment assigning associated attacker attackers author automate automated automatically automating available backed backend based become been before begin being below binaries binary bit bluetooth bottarini bounty brief broader bug bugs bugs/vulnerabilities build building builds built busy but bytes c/c++ calculate calculated called can capabilities care caught cfg challenges change changebinint changed changes changes: check classes clicking cloud clusterfuzz code code: codebase combination common complex complexity components computation concern connect consisting consists const constantly containing contains context continues continuous continuously contribute contributing contributions contributors control controlled convenience corp: corpus corresponding could counters cov: cover coverage covered cpp crash crashes critical cuttlefish: cve daily dashboards day decreased define defines definitions dependencies depending details developed developers development device devices devoting diagram dictionary direct directly discovered distant documentation documents does don done drilling drop due during each earlier early ecosystem edge edges effective effectiveness efficiently effort eligible email empty emulator emulators enable enabled encourage engine engines enhance ensure ensures entering entire errors escalation etc every exactly example exec/s: execution executions expect experience exploited exposed extern feature features fewer file file: files find finding findings finds firmware first fixes flash flow focus focused folders follow following foo found framework from ft: further future fuzz fuzzed fuzzer fuzzers fuzzing gap gce generally generate generates generic get gets git give goal goes good google got graph grown grows growth guidelines haiku hamzeh handle has have have: having health help helped helps hence here higher highest history hit hood: host hostable hours how however huge hundreds identified identifying implementation important improve improved improvement improving inadvertently include included including indicates indicating info: information infra infrastructure ingest ingested inited initiate inline input inputs insertrepeatedbytes inserts install institutionalize instructions instrumentation instrumenting int integrate interested interesting internal internally introduced introduction invest invoke issue issues iterations its itself java job jobs jon kicked know language languages large larger last latest led len less libfoo libfuzzer libraries libs: life like lim: limited line linecoverage lines little llvmfuzzertestoneinput llvmtestoneinput loaded local long low made main majority make makes making manually many max may means measure measurement memory method metric metrics million millions minimizing missing module modules monitor months more most ms: multiple mutations name: need needed never new next nfc non not number numbers numerous off official once one open operating order organization other otherwise output over overall own packaged packaging parameter parsing part particularly past patch patched pcs per performs persists phone phones physical pinpoint pitfalls pixel points post posted potentially power preparation prevent prioritize prioritized privilege privileged privileged: privileges problems: process processes produce production program programming progress project projects proper proponent protection provide provided provided; publicly pushed quality queue reachable reaches reading real receive recent recently recounts refers regression regressions relationship release remain remediated remediation remote remotely renamed repo reports repository represents |
| Tags | Vulnerability Cloud |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.