This repository hosts a fuzzing environment for a SOME/IP implementation developed by BMW AG.
In the automotive industry, the SOME/IP protocol is used for Ethernet-based communication. It will gain in popularity in the future, since self-driving cars record large amounts of data which needs to be transmitted among sensors, actuators and control units in real-time. A robust protocol implementation is key for secure and safe vehicle operation.
Following targets are implemented on respective branches:
- master / feature-demo-afl: Software fuzzing using AFL++
- feature-demo-someip: Network fuzzing using someip-protocol-fuzzer
According to Wikipedia:
Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.
Developed and tested on the following setup:
- macOS 10.15.5
- vsomeip 3.1.14
- boost 1.65.1
- docker 2.3.0.3
Build the vsomeip library and the fuzzing target:
docker build -t vsomeip-fuzzing .
Run a detached container:
docker run -t -d --name vsomeip-fuzz vsomeip-fuzzing bash
Perform a fuzz session for 10 seconds:
docker exec -it vsomeip-fuzz ../misc/runtime.sh -fuzz 10
Create a coverage report of the fuzz session:
docker exec -it vsomeip-fuzz ../misc/runtime.sh -report
docker cp vsomeip-fuzz:/src/vsomeip-fuzzing/build/afl_output .
Open afl_output/cov/web/src/vsomeip-fuzzing/index.html
, and review the coverage results.
You might want to make sure that AFL++ catches crashes in the vsomeip library prior to long fuzzing sessions.
You can add following code to vsomeip/implementation/logger/src/message.cpp which causes a null pointer exception whenever the fuzzed payload in buffer_
is equal to one of the items in vector v
:
#ifdef CRASH_LIBRARY
if (level_ == level_e::LL_FATAL) {
std::vector<std::string> v = {"Hello", "hullo", "hell"};
if (std::find(v.begin(), v.end(), buffer_.data_.str()) != v.end()) {
*(int *)0 = 0; // crash: null pointers cannot be dereferenced to a value
}
}
#endif
The crash can be triggered by inserting the fuzzed payload to the <<
operator of VSOMEIP_FATAL
somewhere in fuzzing.cpp:
#ifdef CRASH_LIBRARY
VSOMEIP_FATAL << str_payload;
#endif