Implement fuzz testing

This commit implements fuzz testing through libFuzzer and the framework around it
to continuously run the fuzzer in a Docker container, along with a service that
checks for updates on the repo.
The service builds the Docker image and launches the fuzzer, after which it waits
for any update to the service. Given that the fuzzing corpus will remain in-place,
whenever fuzzing is restarted for another service version, it will take off from the
already existing cases.
The Docker image has all the required components to run all the current providers -
Mbed, PKCS11 and TPM - and to continuously fuzz the service through a stub version of
the frontend handler. If a crash is detected, the fuzzer will notify the team and
continue fuzzing.

Signed-off-by: Ionut Mihalcea <[email protected]>

Author: ionut-arm

.gitignore

@@ -4,3 +4,5 @@
 tags
 *DS_Store
 *.patch
+mappings/
+NVChip

Cargo.lock

@@ -30,6 +30,7 @@ tss-esapi = { version = "2.0.0", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "1.0.3"
+arbitrary = { version = "0.4.0", features = ["derive"], optional = true }
 
 [dev-dependencies]
 parsec-client-test = { git = "https://github.com/parallaxsecond/parsec-client-test", tag = "0.1.13" }

Cargo.toml

@@ -104,6 +104,10 @@ This project uses the following third party crates:
 * bincode (MIT)
 * structopt (MIT and Apache-2.0)
 * derivative (MIT and Apache-2.0)
+* arbitrary (MIT and Apache-2.0)
+* libfuzzer-sys (MIT, Apache-2.0 and NCSA)
+* flexi_logger (MIT and Apache-2.0)
+* lazy_static (MIT and Apache-2.0)
 
 This project uses the following third party libraries:
 * [Mbed Crypto](https://github.com/ARMmbed/mbed-crypto) (Apache-2.0)

README.md

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+# ------------------------------------------------------------------------------
+# Copyright (c) 2020, Arm Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#          http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+
+FUZZ_CONTAINER_NAME=parsec_fuzzer
+CLEANUP_CONTAINER_NAME=parsec_fuzzer_cleanup
+
+set -e
+
+if [[ "$1" == "run" ]]
+then
+    # Set up fuzz folder
+    docker run --rm -v $(pwd):/parsec -w /parsec/fuzz --name $CLEANUP_CONTAINER_NAME parsec/fuzz ./cleanup.sh
+    # A copy of the config file is used because the file is modified during the run
+    cp fuzz/config.toml fuzz/run_config.toml
+
+    # Build Docker image
+    docker build fuzz/docker -t parsec/fuzz
+
+    # Stop previous container and run fuzzer
+    docker kill $FUZZ_CONTAINER_NAME || true
+    sleep 5s
+    docker run -d --rm -v $(pwd):/parsec -w /parsec/fuzz --name $FUZZ_CONTAINER_NAME parsec/fuzz ./run_fuzz.sh
+elif [[ "$1" == "stop" ]]
+then
+    docker kill $FUZZ_CONTAINER_NAME
+elif [[ "$1" == "follow" ]]
+then
+    docker logs -f --tail 100 $FUZZ_CONTAINER_NAME
+elif [[ "$1" == "clean" ]]
+then
+    # Cleanup is done via Docker because on some systems ACL settings prevent the user who
+    # created a container from removing the files created by said container. Another one
+    # is needed to do the cleanup.
+    docker run -d --rm -v $(pwd):/parsec -w /parsec/fuzz --name $CLEANUP_CONTAINER_NAME parsec/fuzz ./cleanup.sh
+elif [[ "$1" == "erase" ]]
+then
+    docker run -d --rm -v $(pwd):/parsec -w /parsec/fuzz -e "ERASE=true" --name $CLEANUP_CONTAINER_NAME parsec/fuzz ./cleanup.sh
+else
+    echo "usage: ./fuzz.sh [COMMAND]
+
+Commands:
+'run'       - builds the fuzzing container and runs the fuzzer
+'stop'      - stops the fuzzing container
+'follow'    - prints and follows the log output of the fuzzing container
+'clean'     - clean up the fuzzing environment (does not remove artifacts or the fuzz corpus)
+'erase'     - fully clean the fuzzing environment - WARNING: this will remove all the results of previous runs"
+fi

fuzz.sh

@@ -0,0 +1,7 @@
+
+target
+corpus
+artifacts
+*.log
+run_config.toml
+NVChip