Skip to content

feat: add fuzzing harness and infrastructure #442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 1, 2025
Merged

feat: add fuzzing harness and infrastructure #442

merged 1 commit into from
Apr 1, 2025

Conversation

mirkobitetto
Copy link
Contributor

@mirkobitetto mirkobitetto commented Mar 26, 2025
edited
Loading

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

New Feature Submissions:

  • Does your submission pass tests?

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?

🔍 What This PR Does

This PR introduces native fuzz testing support to CryptoLib. The implementation is designed to help uncover memory safety issues and logic bugs across core security-related APIs. This is in response to Issue #369.

🧪 Included in This PR

  • A fuzzing harness (fuzz_harness.c) based on LLVMFuzzerTestOneInput, targeting 7 critical API functions:

    • Crypto_TC_ApplySecurity
    • Crypto_TC_ProcessSecurity
    • Crypto_TM_ApplySecurity
    • Crypto_TM_ProcessSecurity
    • Crypto_AOS_ApplySecurity
    • Crypto_AOS_ProcessSecurity
    • Crypto_TC_Parse_Check_FECF

  • Persistent mode support with a reset_cryptolib() to ensure state isolation per fuzz iteration.

  • Corpus generation script (generate_corpus.py) to seed fuzzing campaigns with protocol-valid frames across TC, TM, and AOS.

  • Multithreaded fuzzing launcher (run-fuzz-multithreaded.sh) using AFL++ best practices:

    • CMPLOG, ASAN, LAF-Intel (CompCov), MOpt, and custom power schedules
    • Parallelized with screen sessions
    • Periodic status reports using afl-whatsup

  • Build script (build-fuzz.sh) compiling 4 fuzz-targeted instrumented builds:

    • Default, AddressSanitizer, CMPLOG, and CompCov
    • Optional performance-optimized builds with -march=native, AVX2/FMA, -flto, etc.

  • CMake integration via ENABLE_FUZZING toggle.

🧪 How to Test These Changes

  1. Install AFL++.
  2. Run the build script: 
    cd fuzz/scripts
./build-fuzz.sh
  3. Generate corpus: 
    cd ../
python generate_corpus.py
  4. Launch multi-core fuzzing: 
    ./scripts/run-fuzz-multithreaded.sh
  5. Monitor progress with: 
    screen -ls
screen -r afl_main
afl-whatsup -s output/

📌 Additional Notes

  • The fuzzing corpus currently uses a basic randomized generator. There is room for future enhancement using protocol-aware or coverage-guided corpus generation techniques.

  • This was developed as part of my master’s thesis, which focuses on evaluating the security of open-source software for satellite systems. Although designed as a PoC, it has reached ~78% code coverage and already helped uncover multiple vulnerabilities (CVE-2025-29909, CVE-2025-29910, CVE-2025-29911, CVE-2025-29912, CVE-2025-29913 ).

  • The implementation needs some improvements to be extended or integrated into a CI/CD pipeline with further performance and coverage optimizations.

@mirkobitetto mirkobitetto mentioned this pull request Mar 26, 2025
Closed
@Donnie-Ice
Copy link
Collaborator

Got it running on my side!
image

@codecov-commenter
Copy link

codecov-commenter commented Mar 26, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.79%. Comparing base (14ee573) to head (137420c).
Report is 147 commits behind head on dev.

Additional details and impacted files 
@@            Coverage Diff             @@
##              dev     #442      +/-   ##
==========================================
- Coverage   75.97%   75.79%   -0.19%     
==========================================
  Files          81       80       -1     
  Lines       22263    22812     +549     
  Branches     1807     1845      +38     
==========================================
+ Hits        16914    17290     +376     
- Misses       4707     4850     +143     
- Partials      642      672      +30

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mirkobitetto
Copy link
Contributor Author

While testing the fuzzing integration this morning before opening the PR, I identified a new potential vulnerability. I’ve already reported it through NASA’s Bugcrowd.

Let me know if you'd also like me to open a GitHub Security Advisory for it, to keep tracking consistent across platforms.

@Donnie-Ice
Copy link
Collaborator

I don't believe any of us have access to that. If it is easy to transfer to a security advisory, I would greatly appreciate being able to get a head start on a fix!

@jlucas9 jlucas9 changed the base branch from dev to cryptolib#369-fuzz April 1, 2025 12:19
@jlucas9
Copy link
Collaborator

jlucas9 commented Apr 1, 2025

Merging into cryptolib#369-fuzz to update the dockerfile and get AFL++ included for this!

@jlucas9 jlucas9 merged commit 7c5fd2c into nasa:cryptolib#369-fuzz Apr 1, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szemerick szemerick Awaiting requested review from szemerick

@rjbrown2 rjbrown2 Awaiting requested review from rjbrown2

@dccutrig dccutrig Awaiting requested review from dccutrig

@jlucas9 jlucas9 Awaiting requested review from jlucas9

Assignees

@Donnie-Ice Donnie-Ice

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mirkobitetto @Donnie-Ice @codecov-commenter @jlucas9