Refactor the example project

- add explore_me with both simple and complex conditions
- add the automotive example into own directory
- improve the README.md

Author: kyakdan

.gitignore

@@ -1,3 +1,7 @@
 build
 .vscode
-.idea
+.idea
+cmake-build-debug
+
+/**/.cifuzz-*
+/**/*fuzzer_inputs

CMakeLists.txt

@@ -1,18 +1,18 @@
-cmake_minimum_required(VERSION 3.10)
+cmake_minimum_required(VERSION 3.16)
 
-project(AUTOMOTIVE-FUZZING-EXAMPLE)
+project(cpp-demo)
 
-add_library(AUTOMOTIVE-FUZZING-EXAMPLE
-    modules/crypto_module/src/crypto_module_1.c
-    modules/crypto_module/src/crypto_module_2.c
-    modules/time_module/src/time_module_1.c
-    modules/GPS_module/src/GPS_module_1.c
-    modules/key_management_module/src/key_management_module_1.c
-)
+# Export compilation database
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
-target_include_directories(AUTOMOTIVE-FUZZING-EXAMPLE PRIVATE
-    modules/crypto_module/src
-    modules/time_module/src
-    modules/key_management_module/src
-    modules/GPS_module/src
-)
+set(CMAKE_CXX_STANDARD 14)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+# External dependencies
+set(CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/cmake/external)
+
+enable_testing()
+include(googletest)
+
+add_subdirectory(src/explore_me)
+add_subdirectory(src/automotive)

README.md

@@ -1,49 +1,29 @@
-# automotive-fuzzing-example
-For the demo:
-- Initialize Project
-- Create fuzz test for a function
-- To compile it the "extern" functions need to be implemented for this use the scripts in fuzzing/auto-mock-fuzz:
-- ```python3 gen_template.py /path_to_project/automotive-fuzzing-example/modules/*/src/*.c /path_to_project/automotive-fuzzing-example/modules/*/src/*.h```
-- This will create two excel sheets. The Sheet called testgen_mocks.xlsx will contain information about the functions that are declared as extern
-- Fill in the excel sheet like this:
-
-| int GPS_driver_obtain_current_position(uint8_t * position_as_bytes, uint8_t * hmac_as_bytes)                              | return: RETURN_INT(int)     | position_as_bytes: WRITE_BYTES(12) | hmac_as_bytes: WRITE_BYTES(64) |                        |                       |
-|---------------------------------------------------------------------------------------------------------------------------|-----------------------------|------------------------------------|--------------------------------|------------------------|-----------------------|
-| int third_party_library_calc_hmac(uint8_t * const message, int len, char * const key, char * const nonce, uint8_t * hmac) | return: RETURN_INT(int)     | message: WRITE_BYTES(len)          | key: WRITE_BYTES(64)           | nonce: WRITE_BYTES(64) | hmac: WRITE_BYTES(64) |
-| uint8_t HSM_get_random_byte()                                                                                             | return: RETURN_INT(uint8_t) |                                    |                                |                        |                       |
-| int driver_get_current_time()                                                                                             | return: RETURN_INT(int)     |                                    |                                |                        |                       |
-- Run the second script to generate the mocking library from this: 
-- ```python3 gen_tests.py mocklib gen_template/testgen_mocks.xlsx ../mocks```
-- This creates mocklib.h and mocklib.cpp in fuzzing/mocks
-- Add the mocklib.cpp to the compiler options and also add the include path fuzzing/mocks
-- In the fuzztest you need to create a FuzzedDataProvider object and give a pointer to it to the mocking library. Add the following to the beginning of the FUZZ function:  
-```FuzzedDataProvider fuzz_data(Data, Size);```  
-```mocklib_set_data(&fuzz_data);```
-- You also need to include the FuzzedDataProvider.h and mocklib.h in the fuzztest
-- Now the fuzz test can run
-- To create a fuzz test for all the functions fill in the excel sheet testgen_functions.xlsx like this:  
-
-| enum crypto_return_status crypto_calculate_hmac(const uint8_t * message, int len, crypto_hmac * hmac) | message: ARG_DATA()                    | len: ARG_SIZE()    | hmac: ARG_STRUCT_PTR(crypto_hmac) |   |
-|-------------------------------------------------------------------------------------------------------|----------------------------------------|--------------------|-----------------------------------|---|
-| enum crypto_return_status crypto_set_key(crypto_key key)                                              | key: ARG_STRUCT(crypto_key)            |                    |                                   |   |
-| enum crypto_return_status crypto_set_nonce(crypto_nonce nonce)                                        | nonce: ARG_STRUCT(crypto_nonce)        |                    |                                   |   |
-| enum crypto_return_status crypto_verify_hmac(const uint8_t * message, int len, crypto_hmac * hmac)    | message: ARG_DATA()                    | len: ARG_SIZE()    | hmac: ARG_STRUCT_PTR(crypto_hmac) |   |
-| enum crypto_return_status crypto_verify_key(crypto_key key)                                           | key: ARG_STRUCT(crypto_key)            |                    |                                   |   |
-| enum crypto_return_status crypto_verify_nonce(crypto_nonce * nonce)                                   | nonce: ARG_STRUCT_PTR(crypto_nonce)    |                    |                                   |   |
-| uint8_t * generate_random_bytes(uint8_t * buffer, uint8_t length)                                     | buffer: ARG_DATA()                     | length: ARG_SIZE() |                                   |   |
-| enum GPS_return_status get_current_position(GPS_position * position)                                  | position: ARG_STRUCT_PTR(GPS_position) |                    |                                   |   |
-| void key_management_create_key(uint8_t * key, uint8_t length)                                         | key: ARG_DATA()                        | length: ARG_SIZE() |                                   |   |
-| void key_management_create_nonce(uint8_t * nonce, uint8_t length)                                     | nonce: ARG_DATA()                      | length: ARG_SIZE() |                                   |   |
-| enum GPS_return_status set_destination_postition(GPS_position position)                               | position: ARG_STRUCT(GPS_position)     |                    |                                   |   |
-| enum crypto_state crypto_get_state()                                                                  |                                        |                    |                                   |   |
-| void crypto_init()                                                                                    |                                        |                    |                                   |   |
-| GPS_position get_destination_position()                                                               |                                        |                    |                                   |   |
-| enum GPS_return_status init_crypto_module()                                                           |                                        |                    |                                   |   |
-| int time_current_time()                                                                               |                                        |                    |                                   |   |
-- Then generate the fuzz test with the following command:
-- ```python3 gen_tests.py fuzztests gen_template/testgen_functions.xlsx .```  
-- This will create a file fuzztest.c. Copy its content to your own fuzztest
-- Include crypto_module_types.h and GPS_module_types.h in the fuzztest
-- Run the fuzztest
+<a href="https://www.code-intelligence.com/">
+<img src="https://www.code-intelligence.com/hubfs/Logos/CI%20Logos/Logo_quer_white.png" alt="Code Intelligence logo" width="450px">
+</a>
 
+# Testing C/C++ for Security and Reliability
+Building robust C/C++ applications is a highly challenging endeavor that requires thorough testing.
+While C/C++ enables us to write high-performance code, the memory-unsafety nature of the language
+brings a broad spectrum of security risks. Memory corruption issues constitute the vast majority of
+bugs and security vulnerabilities found in C/C++ projects, and their impact is best demonstrated by the
+[Heartbleed](https://en.wikipedia.org/wiki/Heartbleed) bug on OpenSSL.
+Regular unit and integration tests are essential to test that our code functions correctly,
+they are not enough to uncover memory-corruption bugs.
+On the other hand, fuzz testing has established itself as the best practical method to find these
+issues in large code bases such as Google Chrome.
 
+In this example, we demonstrate how you can use CI Fuzz to integrate fuzz testing into your 
+C/C++ projects. The example project uses [CMake](https://cmake.org/) as the build system and contains
+the following three use cases:
+* [Simple Checks Example](src/explore_me/explore_me.cpp#L10): 
+A simple example that triggers a buffer over when the input parameters satisfy certain criteria.
+We show that CI Fuzz can quickly generate a test case that trigger this bug.
+* [Complex Checks Example](src/explore_me/explore_me.cpp#L22):
+A more complex example that triggers a use-after-free bug when the input parameters satisfy 
+certain criteria. In this example, the checks are more complex and involve Base64 encoding 
+and XORing with constant value, making it more challenging to find the correct combination of
+input parameters that trigger the bug.
+* [Automotive Example](src/automotive):
+An example that demonstrates the challenges of creating high-quality fuzz tests for complex 
+projects with a large public API. We demonstrate how we can automate most of this task with CI Spark.

cmake/external/googletest.cmake

@@ -0,0 +1,43 @@
+set(GTEST_TARGET external.googletest)
+set(GTEST_INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/${GTEST_TARGET})
+
+set(GTEST_INCLUDE_DIRS ${GTEST_INSTALL_DIR}/include)
+include_directories(${GTEST_INCLUDE_DIRS})
+
+set(GTEST_LIBRARIES gtest gmock)
+set(GTEST_MAIN_LIBRARIES gtest_main)
+set(GTEST_BOTH_LIBRARIES ${GTEST_LIBRARIES} ${GTEST_MAIN_LIBRARIES})
+
+foreach(lib IN LISTS GTEST_BOTH_LIBRARIES)
+  if (MSVC)
+    if (CMAKE_BUILD_TYPE MATCHES Debug)
+      set(LIB_PATH ${GTEST_INSTALL_DIR}/lib/${lib}d.lib)
+    else()
+      set(LIB_PATH ${GTEST_INSTALL_DIR}/lib/${lib}.lib)
+    endif()
+  else()
+    set(LIB_PATH ${GTEST_INSTALL_DIR}/lib/lib${lib}.a)
+  endif()
+  list(APPEND GTEST_BUILD_BYPRODUCTS ${LIB_PATH})
+
+  add_library(${lib} STATIC IMPORTED)
+  set_property(TARGET ${lib} PROPERTY IMPORTED_LOCATION
+               ${LIB_PATH})
+  add_dependencies(${lib} ${GTEST_TARGET})
+endforeach(lib)
+
+include (ExternalProject)
+ExternalProject_Add(${GTEST_TARGET}
+    PREFIX ${GTEST_TARGET}
+    GIT_REPOSITORY https://github.com/google/googletest.git
+    GIT_TAG v1.14.0
+    UPDATE_COMMAND ""
+    CMAKE_CACHE_ARGS -DCMAKE_C_COMPILER:FILEPATH=${CMAKE_C_COMPILER}
+                     -DCMAKE_CXX_COMPILER:FILEPATH=${CMAKE_CXX_COMPILER}
+                     -DCMAKE_C_COMPILER_LAUNCHER:FILEPATH=${CMAKE_C_COMPILER_LAUNCHER}
+                     -DCMAKE_CXX_COMPILER_LAUNCHER:FILEPATH=${CMAKE_CXX_COMPILER_LAUNCHER}
+    CMAKE_ARGS ${CMAKE_ARGS}
+               -DCMAKE_INSTALL_PREFIX=${GTEST_INSTALL_DIR}
+               -DCMAKE_INSTALL_LIBDIR=lib
+    BUILD_BYPRODUCTS ${GTEST_BUILD_BYPRODUCTS}
+)