Status

()

Core
Security: Process Sandboxing
9 months ago
5 months ago

People

(Reporter: hchang, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: sb+)

(Reporter)

Description

9 months ago
Unlike what we already for low level IPC fuzzing, we would like to do fuzzing more IPDL-aware. In other words, we'd like to find vulnerable in the "handler" layer. (The handler is typically like PFooProtocolChild::RecvBarMessage() for PFooProtocol.barMessage)

Updated

9 months ago
Whiteboard: sb+
(Reporter)

Comment 1

9 months ago
https://github.com/elefant/gecko-dev/tree/ipdl-fuzzing/toolkit/ipdl_fuzzing

I have been prototyping the ipdl fuzzer in the above branch since the end
of this March. This current baby fuzzer consists of 

1) A hook (window.alert) to trigger fuzzing (only for testing for sure lol)

https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/dom/base/nsGlobalWindow.cpp#L7414

2) 3 fuzzers (for PHttpChannel/PCameras/PBrowser) are in place. 
   Most of their to-parent messages are covered.

https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/HttpChannelFuzzer.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/HttpChannelFuzzer.cpp
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/CamerasFuzzer.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/CamerasFuzzer.cpp
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/PBrowserFuzzer.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/PBrowserFuzzer.cpp


3) Tons of FuzzTraits for those types which are required for those 3 fuzzers.
   Note that those FuzzTraits are only capable of generating random data.
   They are supposed to be able to mutate the given objects.

https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPrimitives.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsCommon.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsNeckoChannelParams.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPCameras.h
https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPBrowser.h

I don't know the how far this project could go but I would expect at least

1) A client (in whatever form) to trigger/manipulate the fuzzing.
2) More fuzzers (either by hand-wring or codegen)
3) More FuzzTraits
4) Record the fuzzing trace for replay/reproduce purpose.
(Reporter)

Updated

9 months ago
Assignee: nobody → hchang
Blocks: 1320851
Summary: IPDL fuzzing → IPDL protocol fuzzing
(Reporter)

Updated

5 months ago
Assignee: hchang → nobody
You need to log in before you can comment on or make changes to this bug.