Lines Matching refs:to

6 has been used as a popular approach to look for security vulnerabilities in
9 Due to the complex architecture of the Android Bluetooth stack, fuzzing the
11 multiple fuzzers are created to target different areas of the BT stack. Fuzzers
16 they can cause much severe damage comparing to local attacks. This makes the
17 incoming BT message handlers our focus. The goal is to be able to pipe randomly
18 generated data packets to those message handlers to explore the code path each
28 According to Bluetooth spec and the source code, most of the components we care
31 1. At initialization, a component registers itself to L2CAP with a set of
34 2. Each component also exposes certain APIs to upper layers, which can be higher
36 applications use these APIs to configure the stack, and issue requests.
39 data, and passes data to upper layer using those callbacks.
42 5. It's common for a Bluetooth stack component to use state machines. The state
46 The fuzzers are designed to simulate how a component is used in the real world,
48 1. First a fuzzer should mock the L2CAP APIs to capture the registration call
51 its initialization function. This will cause the component to register itself to
54 3. The fuzzer then calls necessary APIs and callbacks exposed to L2CAP to
57 and feeds them to the target component using the previously captured message
59 5. It's common that a fuzzer also needs to call certain APIs to trigger state
61 derived from fuzzing input to make those API calls.
63 start cleanly. It's important to cleanup all the data so there is no state
64 pollution between two iterations, otherwise it will be very difficult to
68 For maximium fuzzing efficiency, the fuzzers are created to include the target
70 dependencies from other Bluetooth components need to be mocked. The mocks are
79     It's very important to review the code coverage of each fuzzer. Any big
86     The fuzzers are designed to run as fast as possible. But there might still
87     be some room to improve the performance. Profiling can be done to figure