Updated bash script and documentation for mutation-based fuzzing option

Author: mingxguo27

docs/fuzzing.md

@@ -13,12 +13,14 @@ vulnerabilities are not observable, and even the crash behaviour varies from cas
 to case. Furthermore, the goal to find a general approach for any authenticator
 rules out common solutions such as hardware emulation or binary instrumentation.
 
-## Corpus testing
+## How does it work
 
 Our idea is fuzzing by proxy. We take [OpenSK](https://github.com/google/OpenSK)
 (an open source implementation of a FIDO2 security key) as our fuzz target and 
 generate interesting input data guided by OpenSK's code coverage. At the moment,
-the fuzzing tool consists of running this input corpus on the device under test.
+we support two fuzzing modes: 
+1. Run this input corpus directly on the device under test.
+2. Fuzz the device under test using this input corpus as initial corpus.
 The corpus is hosted at a [git repository](https://github.com/google/CTAP2-test-tool-corpus)
 and integrated as a submodule, which will be downloaded upon cloning the test
 tool repository. When downloading the test tool manually, you can copy the corpus
@@ -42,10 +44,12 @@ you can simply run:
 ```shell
 ./run_fuzzing.sh
 ```
-By default, our predefined data set is run with a blackbox monitor.
+By default, our predefined data set is run on the device with a blackbox monitor.
 
 For more control, the following arguments are available:
 
+- `--run_mode`: `corpus_test` runs the given corpus and `fuzzing` starts mutation-
+  based fuzzing.
 - `--corpus_path`: The path to the corpus containing the test files.
 - `--monitor`: The monitor type to be used. All supported options are:
     - `blackbox`: General blackbox monitor.
@@ -55,6 +59,18 @@ For more control, the following arguments are available:
 - `--port`: If a GDB monitor is selected, the port to listen on for GDB remote 
   connection.
 
+In the fuzzing mode, more options are supported:
+
+- `--fuzzing_mode`: The type of inputs to be fuzzed. All supported options are:
+    - `cbor_make_credential`
+    - `cbor_get_assertion`
+    - `cbor_client_pin`
+    - `ctaphid_raw`
+- `--num_runs`: Number of inputs to be run. By default, the fuzzer will run indefinitely.
+- `--max_length`: Maximum length of an input. By default, there is no limit.
+- `--max_mutation_degree`: Maximum number of successive mutation operations to be
+  applied. By default, the degree is 10.
+
 ## How to reproduce
 
 The files causing a reported crash are saved to `corpus_tests/artifacts/` by

run_fuzzing.sh

@@ -25,6 +25,11 @@ path=_
 corpus=corpus_tests/test_corpus/
 monitor=blackbox
 port=2331
+run_mode=corpus_test
+fuzzing_mode=ctaphid_raw
+num_runs=0
+max_length=0
+max_mutation_degree=10
 
 # parse parameters
 for arg in "$@"
@@ -46,6 +51,26 @@ case $arg in
     port="${arg#*=}"
     shift
     ;;
+    --run_mode=*)
+    run_mode="${arg#*=}"
+    shift
+    ;;
+    --fuzzing_mode=*)
+    fuzzing_mode="${arg#*=}"
+    shift
+    ;;
+    --num_runs=*)
+    num_runs="${arg#*=}"
+    shift
+    ;;
+    --max_length=*)
+    max_length="${arg#*=}"
+    shift
+    ;;
+    --max_mutation_degree=*)
+    max_mutation_degree="${arg#*=}"
+    shift
+    ;;
 esac
 done
 
@@ -54,5 +79,12 @@ then
     git submodule init
     git submodule update
 fi
-
-bazel run //:corpus_test -- --token_path="$path" --corpus_path="$corpus" --monitor="$monitor" --port="$port"
+if [ "$run_mode" = "corpus_test" ]
+then
+    bazel run //:corpus_test -- --token_path="$path" --corpus_path="$corpus" --monitor="$monitor" --port="$port"
+elif [ "$run_mode" = "fuzzing" ]
+then
+    bazel run //:fuzzing -- --token_path="$path" --corpus_path="$corpus" --monitor="$monitor" --port="$port" --fuzzing_mode="$fuzzing_mode" --num_runs="$num_runs" --max_length="$max_length" --max_mutation_degree="$max_mutation_degree"
+else
+    echo "Unsupported run mode."
+fi