/vsomeip-fuzzing

Fuzzing the COVESA/vsomeip library with AFL++

Primary LanguageC++MIT LicenseMIT

vsomeip-fuzzing

This repository hosts a fuzzing environment for a SOME/IP implementation developed by BMW AG.

In the automotive industry, the SOME/IP protocol is used for Ethernet-based communication. It will gain in popularity in the future, since self-driving cars record large amounts of data which needs to be transmitted among sensors, actuators and control units in real-time. A robust protocol implementation is key for secure and safe vehicle operation.

Following targets are implemented on respective branches:

According to Wikipedia:

Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

Requirements

Developed and tested on the following setup:

  • macOS 10.15.5
  • vsomeip 3.1.14
  • boost 1.65.1
  • docker 2.3.0.3

Setup

Build the vsomeip library and the fuzzing target:

docker build -t vsomeip-fuzzing .

Run a detached container:

docker run -t -d --name vsomeip-fuzz vsomeip-fuzzing bash

Fuzzing

Perform a fuzz session for 10 seconds:

docker exec -it vsomeip-fuzz ../misc/runtime.sh -fuzz 10

Create a coverage report of the fuzz session:

docker exec -it vsomeip-fuzz ../misc/runtime.sh -report
docker cp vsomeip-fuzz:/src/vsomeip-fuzzing/build/afl_output .

Open afl_output/cov/web/src/vsomeip-fuzzing/index.html, and review the coverage results.

Instrumentation

You might want to make sure that AFL++ catches crashes in the vsomeip library prior to long fuzzing sessions. You can add following code to vsomeip/implementation/logger/src/message.cpp which causes a null pointer exception whenever the fuzzed payload in buffer_ is equal to one of the items in vector v:

#ifdef CRASH_LIBRARY
if (level_ == level_e::LL_FATAL) {
    std::vector<std::string> v = {"Hello", "hullo", "hell"};
    if (std::find(v.begin(), v.end(), buffer_.data_.str()) != v.end()) {
        *(int *)0 = 0; // crash: null pointers cannot be dereferenced to a value
    }
}
#endif

The crash can be triggered by inserting the fuzzed payload to the << operator of VSOMEIP_FATAL somewhere in fuzzing.cpp:

#ifdef CRASH_LIBRARY
VSOMEIP_FATAL << str_payload;
#endif