Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/m-y-mo/android_nfc_fuzzer


https://github.com/m-y-mo/android_nfc_fuzzer

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README 

        
# Android NFC fuzzer



## Introduction



This is a fuzzer that uses libprotobuf-mutator to fuzz the NFC module on an Android device. This can be used on supported Google phones such as Pixel3 and Pixel4. It has been tested on Pixel3a. Currently the NFC forum type 2 tag is implemented.



DISCLAIMER: As using the fuzzer requires OEM unlocking of the device and flashing custom OS. There is a chance of data loss or bricking the device (which may require factory restore). It is recommended that a dedicated research device is used for the purpose and any consequences is at the user's own risk. The author is not liable for any data loss, damage to devices or compromised in security when following these steps. Fuzzing corpus is also considered as trusted input and the author is not liable for any security compromise resulting from using untrusted corpus and would not consider memory corruption bugs in corpus parsing code security bugs. The fuzzer is offer on an AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.



## Set up instructions



The idea is to modify nfc system library, libnfc-nci.so to create fuzz harnesses and feed it with inputs generated by libprotobuf-mutator. As I do not seem to be able to fuzz with libprotobuf-mutator as a standalone library, the fuzzer needs to include a local copy of the source code of libprotobuf-mutator and compile it together. The directories `src` and `port` under `tools` are the same directories from libprotobuf-mutator. These correspond to commit `9eaf063` of libprotobuf-mutator in the aosp source tree. The reason for using a cached version is that newer versions seem to have introduced some changes which causes the following failure when fuzzing:



```

/usr/local/google/buildbot/src/android/llvm-toolchain/out/llvm-project/compiler-rt/lib/fuzzer/FuzzerMutate.cpp:510: size_t fuzzer::MutationDispatcher::MutateImpl(uint8_t *, size_t, size_t, Vector &): assertion "MaxSize > 0" failed

```



First follow the instructions [here](https://source.android.com/setup/build/downloading) to obtain a copy of the aosp and initialize it with the master branch.



```

mkdir AOSP_ROOT

cd AOSP_ROOT

repo init -u https://android.googlesource.com/platform/manifest

repo sync -qc -j$(nproc)

```



Then obtain the proprietary binaries for your device following instructions [here](https://source.android.com/setup/build/downloading), under the "Obtain proprietary binary" section.



## Build and run the fuzzer



### Building the fuzzer



Next set up the build environment and select the product and variant (See instructions [here](https://source.android.com/setup/build/building)):



```

cd AOSP_ROOT

source build/envsetup.sh

lunch -

```



For example, environment for a Pixel3a will be



```

cd AOSP_ROOT

source build/envsetup.sh

lunch aosp_sargo-userdebug

```



For fuzzing, it is not necessary to build the entire aosp, which will save time and disk space.



In order to compile the protobuf for fuzzing, `aprotoc` needs to be built:



```

make -j($nproc) aprotoc

```



After that, run the `patch.sh` script in this repository's root directory with the aosp root directory as argument, to patch the nfc library code, and to include the fuzzers in the `system/nfc` directory (The patch should merges cleanly with commit `@cfccaaf` for `system/nfc` and commit `@6645f5c` for `external/protobuf` in the aosp source tree):



```

./patch.sh AOSP_ROOT

```



at this point, a directory called `tools` will be copied to the `system/nfc` directory in the AOSP checkout. This directory contains the fuzzers, as well as tools for generating coverage and debugging.



Then compile the protobuf definitions for fuzzing:



```

./generate_proto.sh AOSP_ROOT

```



Following the build instructions from [here](https://source.android.com/devices/tech/debug/libfuzzer) to build the fuzzer. The available targets can be found in the `tools/Android.bp`, with targets of type `cc_fuzz`. For example, to build the `t2t_detect_fuzzer`, run:



```

SANITIZE_TARGET=address make -j$(nproc) t2t_detect_fuzzer

```



### Running it on device



To run the fuzzer on device, the [Android flash tool](https://source.android.com/setup/contribute/flash) can be used. This is a very convenient web service that flashes the latest master build on a device. This avoids the need to build the entire aosp locally. Note that to use the service, OEM needs to be unlock and may also wipe all the user data, so it is recommended to use a dedicated research device for such purpose. These are tested on Android master branch with build number 6331282.



To use the Android flash tool, `adb` and `fastboot` needs to be installed. These can either be built from the aosp checkout, or install via apt:



```

make -j($nproc) adb

make -j($nproc) fastboot

```



Note also that `fastboot` also requires extra configurations, see [here](https://stackoverflow.com/questions/27017453/fastboot-and-adb-not-working-with-sudo/28127944#28127944) for some details.



After that, the fuzzer can be copied to the device for fuzzing:



```

adb root

adb sync data

```



If `adb sync data` failed, the same can be achieved by just copying the `data/fuzz` directory in the `out/target/product/` directory:



```

adb push AOSP_ROOT/out/target/product//data/fuzz /data

```



This is now ready for fuzzing on the device:



```

adb shell 

sargo:/ # ASAN_OPTIONS=detect_container_overflow=0 /data/fuzz/arm64/t2t_detect_fuzzer/t2t_detect_fuzzer /data/fuzz/arm64/t2t_detect_fuzzer/corpus

```

The `detect_container_overflow` option may be required as protobuf is not compiled with asan and will cause `container_overflow` FP when fuzzing.