Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fuzzing/MFFA

Media Fuzzing Framework for Android
https://github.com/fuzzing/MFFA

Last synced: 28 days ago
JSON representation

Media Fuzzing Framework for Android

Awesome Lists containing this project

README 

        
# MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)



## Project overview



The main idea behind this project  is  to create corrupt  but structurally valid media files, direct them to the appropriate software components in Android to  be  decoded  and/or  played  and  monitor  the  system  for  potential  issues  (i.e  system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed  infrastructure  of  Android  devices,  log  the  findings  and  monitor  for  possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results  are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism.



### System and device configuration



The tool has been developed to be used inside a Linux environment.



For the device(s) under test the main problem is including the stagefright command line tool in the Android image that will be flashed on the device(s) or simply building the stagefright module and pushing it to the device.



There are three alternatives for achieving this goal:



 1. if you are building an Android engineering image, you can directly modify the Android.mk file corresponding to the stagefright module. For that you need to go to frameworks/av/cmds/stagefright/ and edit the Android.mk file by looking for the LOCAL_MODULE:=stagefright entry and modifying its corresponding LOCAL_MODULE_TAGS entry from optional to eng. Note that this will NOT work if you are trying to build an user or userdebug Android image.

```

    #LOCAL_MODULE_TAGS := optional

    LOCAL_MODULE_TAGS := eng

    LOCAL_MODULE:= stagefright

```



 2. the second alternative is to go to device// and modify the device.mk file by adding the stagefright module to the PRODUCT_PACKAGES entry

```

    PRODUCT_PACKAGES += \

        stagefright

```



 3. Another alternative, and the most straight-forward that doesn't require building the entire image would be to go to the stagefright directory inside the Android tree (frameworks/av/cmds/stagefright) and build only the stagefright module using:

```

	mma (or alternatively)

	mma -B

```

### Tool configuration



Before starting the actual fuzzing campaign there are several configuration files that need to be taken care of:



1. Firstly, you need to manually run adb devices > devices.txt to populate the devices.txt config file with the ids of the Android devices that will be used during testing

2. Secondly, you need to write the batches.txt so that it contains the list of the directories containing the fuzzed input media files 



### Running a fuzzing campaign



Having configured these two files you can start the fuzzing campaign by issuing the following command:



```

 python test.py stagefright   

     the media batches tested are audio or video files

     in case of audio testing, try to also test the playback functionality of the framework or not

           in case you stop the fuzzing campaign at a certain index, you can restart from that certain point (for new campaigns use 0)

```



During the fuzzing process, a separate log will be created for each device in the testing infrastructure. The logs are updated real-time so you can check out partial results during the actual testing.



### Running a bug triage campaign



The triage mechanism will take the generated logs from the actual fuzzing phase, identify the crashing test cases, resend them to the devices, check if the issues have been encountered before and store the unique bugs. Before starting the actual triage process, you need to copy the generated logs to the root directory of the triage scripts. Also you need to populate the logs.txt config file with the file names of the logs, one per each line.



To start the triage process you need to issue the following command:



```



python triage.py  

     - type of signal to look out for

                   - the media batches that were tested are audio or video files

```



### Some results - vulnerabilities discovered



- Multiple integer overflows in Stagefright code (libstagefright SampleTable):



	- CVE-2014-7915 



	- CVE-2014-7916 



	- CVE-2014-7917



- A crafted MPEG4 media file can result in heap corruption in libstagefright, that can lead to arbitrary code execution in the mediaserver process:



	- CVE-2015-3832



### Papers, presentations



Android Builders Summit, March 2015 - http://events.linuxfoundation.org/sites/events/files/slides/ABS2015.pdf 



#### Notice



This software is a prototype and it was developed in a specific environment. Don't expect everything to work out of the box.