Using jazzer on junit4 / Android tests

[ubiratansoares]

Hey folks! New jazzer user here 👋🏻

I'm reaching out to you to discuss how we could have even better support to fuzzing on Android projects.

Particularly it seems that junit5-only support is a deal breaker for this use case, since junit5 was never officially supported by the Android tooling. 💔

The Android community has being using this Gradle plugin for ages in order to enable junit-platform and write tests over Android-free code within Android projects. On the other hand, libraries like Robolectric - which we use to unit-test code coupled with Android framework classes - support only junit4.

That means that we have a hard time to use jazzer to fuzz abstractions over Intents, URIs, and other non-ui stuff we grab from the Android framework.

Not sure if I missed something, but in any case : do you folks have plans to add support for junit4 on jazzer?

Thanks in advance, and congrats on the great work you folks have being doing in the JVM/fuzzing space 🙂

[fmeum]

Thanks for your interest in Jazzer. Fuzzing Android applications is a pretty exciting application. @TheCoryBarker has made a number of contributions to Jazzer with the aim of making this possible, but that work doesn't seem to cover the Robolectric use case.

Supporting JUnit 5 well already requires substantial effort, which is why I think it's unlikely that we will take on supporting another test framework in the foreseeable future. We are however thinking of ways to add "second-class support" for any kind of framework via e.g. a fuzz function accepting a lambda. I will leave this issue open and post an update when we get to this.

[TheCoryBarker]

Right now there is no way to fuzz intents. The only fuzzing is through building your Java as a library and fuzzing that library. The current sanitizers also are not well equipped for finding vulnerabilities on Android, because of this you should still target code that uses heavy native code, since the native code is where you be finding your vulns.

To start fuzzing this code, write you fuzz target for a Java library that heavily uses native code. Build this code, then instrument the .class files offline. Then use d8 tool to DEX your .jar file, push to your Android device and start fuzzing. If this sounds like your case, I would first recommend trying to fuzz your native code directly first.

I'll add though that since Robolectric uses a normal JVM and normal Java bytecode, I suspect that if junit4 was ever supported you could just build Jazzer normally and run on Robolectric with full runtime instrumentation. This wouldn't work for my case since I was mostly interested in the java->native code that ships on an Android device, which Robolectric doesn't have.

[ajgay]

@TheCoryBarker can you elaborate a bit? When building for Android via bazel build //launcher/android:jazzer_android I get an empty APK. Additionally the prebuilt releases do not contain an Android-compatible driver bin. I've also built via AOSP but their current blueprint files only build for the API -- not the driver. How can I get a working driver for Android? I've also tried loading the Java driver Jazzer.java via app_process but this fails, presumably because they are not dex'd. Attempting to dex the prebuilt jazzer_standaline.jar fails.

[ghost]

@ubiratansoares @ajgay Thanks for the questions and feedback. Did you all figure out a workaround? Please ping me to discuss. david[dot]merian [at] code-intelligence[dot]com