1# Mbed TLS invasive testing strategy
2
3## Introduction
4
5In Mbed TLS, we use black-box testing as much as possible: test the documented behavior of the product, in a realistic environment. However this is not always sufficient.
6
7The goal of this document is to identify areas where black-box testing is insufficient and to propose solutions.
8
9This is a test strategy document, not a test plan. A description of exactly what is tested is out of scope.
10
11This document is structured as follows:
12
13* [“Rules”](#rules) gives general rules and is written for brevity.
14* [“Requirements”](#requirements) explores the reasons why invasive testing is needed and how it should be done.
15* [“Possible approaches”](#possible-approaches) discusses some general methods for non-black-box testing.
16* [“Solutions”](#solutions) explains how we currently solve, or intend to solve, specific problems.
17
18### TLS
19
20This document currently focuses on data structure manipulation and storage, which is what the crypto/keystore and X.509 parts of the library are about. More work is needed to fully take TLS into account.
21
22## Rules
23
24Always follow these rules unless you have a good reason not to. If you deviate, document the rationale somewhere.
25
26See the section [“Possible approaches”](#possible-approaches) for a rationale.
27
28### Interface design for testing
29
30Do not add test-specific interfaces if there's a practical way of doing it another way. All public interfaces should be useful in at least some configurations. Features with a significant impact on the code size or attack surface should have a compile-time guard.
31
32### Reliance on internal details
33
34In unit tests and in test programs, it's ok to include internal header files from `library/`. Do not define non-public interfaces in public headers. In contrast, sample programs must not include header files from `library/`.
35
36Sometimes it makes sense to have unit tests on functions that aren't part of the public API. Declare such functions in `library/*.h` and include the corresponding header in the test code. If the function should be `static` for optimization but can't be `static` for testing, declare it as `MBEDTLS_STATIC_TESTABLE`, and make the tests that use it depend on `MBEDTLS_TEST_HOOKS` (see [“rules for compile-time options”](#rules-for-compile-time-options)).
37
38If test code or test data depends on internal details of the library and not just on its documented behavior, add a comment in the code that explains the dependency. For example:
39
40> ```
41> /* This test file is specific to the ITS implementation in PSA Crypto
42>  * on top of stdio. It expects to know what the stdio name of a file is
43>  * based on its keystore name.
44>  */
45> ```
46
47> ```
48> # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes
49> # and not expected to be raised any time soon) is less than the maximum
50> # output from HKDF-SHA512 (255*64 = 16320 bytes).
51> ```
52
53### Rules for compile-time options
54
55If the most practical way to test something is to add code to the product that is only useful for testing, do so, but obey the following rules. For more information, see the [rationale](#guidelines-for-compile-time-options).
56
57* **Only use test-specific code when necessary.** Anything that can be tested through the documented API must be tested through the documented API.
58* **Test-specific code must be guarded by `#if defined(MBEDTLS_TEST_HOOKS)`**. Do not create fine-grained guards for test-specific code.
59* **Do not use `MBEDTLS_TEST_HOOKS` for security checks or assertions.** Security checks belong in the product.
60* **Merely defining `MBEDTLS_TEST_HOOKS` must not change the behavior**. It may define extra functions. It may add fields to structures, but if so, make it very clear that these fields have no impact on non-test-specific fields.
61* **Where tests must be able to change the behavior, do it by function substitution.** See [“rules for function substitution”](#rules-for-function-substitution) for more details.
62
63#### Rules for function substitution
64
65This section explains how to replace a library function `mbedtls_foo()` by alternative code for test purposes. That is, library code calls `mbedtls_foo()`, and there is a mechanism to arrange for these calls to invoke different code.
66
67Often `mbedtls_foo` is a macro which is defined to be a system function (like `mbedtls_calloc` or `mbedtls_fopen`), which we replace to mock or wrap the system function. This is useful to simulate I/O failure, for example. Note that if the macro can be replaced at compile time to support alternative platforms, the test code should be compatible with this compile-time configuration so that it works on these alternative platforms as well.
68
69Sometimes the substitutable function is a `static inline` function that does nothing (not a macro, to avoid accidentally skipping side effects in its parameters), to provide a hook for test code; such functions should have a name that starts with the prefix `mbedtls_test_hook_`. In such cases, the function should generally not modify its parameters, so any pointer argument should be const. The function should return void.
70
71With `MBEDTLS_TEST_HOOKS` set, `mbedtls_foo` is a global variable of function pointer type. This global variable is initialized to the system function, or to a function that does nothing. The global variable is defined in a header in the `library` directory such as `psa_crypto_invasive.h`. This is similar to the platform function configuration mechanism with `MBEDTLS_PLATFORM_xxx_ALT`.
72
73In unit test code that needs to modify the internal behavior:
74
75* The test function (or the whole test file) must depend on `MBEDTLS_TEST_HOOKS`.
76* At the beginning of the test function, set the global function pointers to the desired value.
77* In the test function's cleanup code, restore the global function pointers to their default value.
78
79## Requirements
80
81### General goals
82
83We need to balance the following goals, which are sometimes contradictory.
84
85* Coverage: we need to test behaviors which are not easy to trigger by using the API or which cannot be triggered deterministically, for example I/O failures.
86* Correctness: we want to test the actual product, not a modified version, since conclusions drawn from a test of a modified product may not apply to the real product.
87* Effacement: the product should not include features that are solely present for test purposes, since these increase the attack surface and the code size.
88* Portability: tests should work on every platform. Skipping tests on certain platforms may hide errors that are only apparent on such platforms.
89* Maintainability: tests should only enforce the documented behavior of the product, to avoid extra work when the product's internal or implementation-specific behavior changes. We should also not give the impression that whatever the tests check is guaranteed behavior of the product which cannot change in future versions.
90
91Where those goals conflict, we should at least mitigate the goals that cannot be fulfilled, and document the architectural choices and their rationale.
92
93### Problem areas
94
95#### Allocation
96
97Resource allocation can fail, but rarely does so in a typical test environment. How does the product cope if some allocations fail?
98
99Resources include:
100
101* Memory.
102* Files in storage (PSA API only — in the Mbed TLS API, black-box unit tests are sufficient).
103* Key slots (PSA API only).
104* Key slots in a secure element (PSA SE HAL).
105* Communication handles (PSA crypto service only).
106
107#### Storage
108
109Storage can fail, either due to hardware errors or to active attacks on trusted storage. How does the code cope if some storage accesses fail?
110
111We also need to test resilience: if the system is reset during an operation, does it restart in a correct state?
112
113#### Cleanup
114
115When code should clean up resources, how do we know that they have truly been cleaned up?
116
117* Zeroization of confidential data after use.
118* Freeing memory.
119* Freeing key slots.
120* Freeing key slots in a secure element.
121* Deleting files in storage (PSA API only).
122
123#### Internal data
124
125Sometimes it is useful to peek or poke internal data.
126
127* Check consistency of internal data (e.g. output of key generation).
128* Check the format of files (which matters so that the product can still read old files after an upgrade).
129* Inject faults and test corruption checks inside the product.
130
131## Possible approaches
132
133Key to requirement tables:
134
135* ++ requirement is fully met
136* \+ requirement is mostly met
137* ~ requirement is partially met but there are limitations
138* ! requirement is somewhat problematic
139* !! requirement is very problematic
140
141### Fine-grained public interfaces
142
143We can include all the features we want to test in the public interface. Then the tests can be truly black-box. The limitation of this approach is that this requires adding a lot of interfaces that are not useful in production. These interfaces have costs: they increase the code size, the attack surface, and the testing burden (exponentially, because we need to test all these interfaces in combination).
144
145As a rule, we do not add public interfaces solely for testing purposes. We only add public interfaces if they are also useful in production, at least sometimes. For example, the main purpose of `mbedtls_psa_crypto_free` is to clean up all resources in tests, but this is also useful in production in some applications that only want to use PSA Crypto during part of their lifetime.
146
147Mbed TLS traditionally has very fine-grained public interfaces, with many platform functions that can be substituted (`MBEDTLS_PLATFORM_xxx` macros). PSA Crypto has more opacity and less platform substitution macros.
148
149| Requirement | Analysis |
150| ----------- | -------- |
151| Coverage | ~ Many useful tests are not reasonably achievable |
152| Correctness | ++ Ideal |
153| Effacement | !! Requires adding many otherwise-useless interfaces |
154| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
155| Maintainability | !! Combinatorial explosion on the testing burden |
156|                 | ! Public interfaces must remain for backward compatibility even if the test architecture changes |
157
158### Fine-grained undocumented interfaces
159
160We can include all the features we want to test in undocumented interfaces. Undocumented interfaces are described in public headers for the sake of the C compiler, but are described as “do not use” in comments (or not described at all) and are not included in Doxygen-rendered documentation. This mitigates some of the downsides of [fine-grained public interfaces](#fine-grained-public-interfaces), but not all. In particular, the extra interfaces do increase the code size, the attack surface and the test surface.
161
162Mbed TLS traditionally has a few internal interfaces, mostly intended for cross-module abstraction leakage rather than for testing. For the PSA API, we favor [internal interfaces](#internal-interfaces).
163
164| Requirement | Analysis |
165| ----------- | -------- |
166| Coverage | ~ Many useful tests are not reasonably achievable |
167| Correctness | ++ Ideal |
168| Effacement | !! Requires adding many otherwise-useless interfaces |
169| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
170| Maintainability | ! Combinatorial explosion on the testing burden |
171
172### Internal interfaces
173
174We can write tests that call internal functions that are not exposed in the public interfaces. This is nice when it works, because it lets us test the unchanged product without compromising the design of the public interface.
175
176A limitation is that these interfaces must exist in the first place. If they don't, this has mostly the same downside as public interfaces: the extra interfaces increase the code size and the attack surface for no direct benefit to the product.
177
178Another limitation is that internal interfaces need to be used correctly. We may accidentally rely on internal details in the tests that are not necessarily always true (for example that are platform-specific). We may accidentally use these internal interfaces in ways that don't correspond to the actual product.
179
180This approach is mostly portable since it only relies on C interfaces. A limitation is that the test-only interfaces must not be hidden at link time (but link-time hiding is not something we currently do). Another limitation is that this approach does not work for users who patch the library by replacing some modules; this is a secondary concern since we do not officially offer this as a feature.
181
182| Requirement | Analysis |
183| ----------- | -------- |
184| Coverage | ~ Many useful tests require additional internal interfaces |
185| Correctness | + Does not require a product change |
186|             | ~ The tests may call internal functions in a way that does not reflect actual usage inside the product |
187| Effacement | ++ Fine as long as the internal interfaces aren't added solely for test purposes |
188| Portability | + Fine as long as we control how the tests are linked |
189|             | ~ Doesn't work if the users rewrite an internal module |
190| Maintainability | + Tests interfaces that are documented; dependencies in the tests are easily noticed when changing these interfaces |
191
192### Static analysis
193
194If we guarantee certain properties through static analysis, we don't need to test them. This puts some constraints on the properties:
195
196* We need to have confidence in the specification (but we can gain this confidence by evaluating the specification on test data).
197* This does not work for platform-dependent properties unless we have a formal model of the platform.
198
199| Requirement | Analysis |
200| ----------- | -------- |
201| Coverage | ~ Good for platform-independent properties, if we can guarantee them statically |
202| Correctness | + Good as long as we have confidence in the specification |
203| Effacement | ++ Zero impact on the code |
204| Portability | ++ Zero runtime burden |
205| Maintainability | ~ Static analysis is hard, but it's also helpful |
206
207### Compile-time options
208
209If there's code that we want to have in the product for testing, but not in production, we can add a compile-time option to enable it. This is very powerful and usually easy to use, but comes with a major downside: we aren't testing the same code anymore.
210
211| Requirement | Analysis |
212| ----------- | -------- |
213| Coverage | ++ Most things can be tested that way |
214| Correctness | ! Difficult to ensure that what we test is what we run |
215| Effacement | ++ No impact on the product when built normally or on the documentation, if done right |
216|             | ! Risk of getting “no impact” wrong |
217| Portability | ++ It's just C code so it works everywhere |
218|             | ~ Doesn't work if the users rewrite an internal module |
219| Maintainability | + Test interfaces impact the product source code, but at least they're clearly marked as such in the code |
220
221#### Guidelines for compile-time options
222
223* **Minimize the number of compile-time options.**<br>
224  Either we're testing or we're not. Fine-grained options for testing would require more test builds, especially if combinatorics enters the play.
225* **Merely enabling the compile-time option should not change the behavior.**<br>
226  When building in test mode, the code should have exactly the same behavior. Changing the behavior should require some action at runtime (calling a function or changing a variable).
227* **Minimize the impact on code**.<br>
228  We should not have test-specific conditional compilation littered through the code, as that makes the code hard to read.
229
230### Runtime instrumentation
231
232Some properties can be tested through runtime instrumentation: have the compiler or a similar tool inject something into the binary.
233
234* Sanitizers check for certain bad usage patterns (ASan, MSan, UBSan, Valgrind).
235* We can inject external libraries at link time. This can be a way to make system functions fail.
236
237| Requirement | Analysis |
238| ----------- | -------- |
239| Coverage | ! Limited scope |
240| Correctness | + Instrumentation generally does not affect the program's functional behavior |
241| Effacement | ++ Zero impact on the code |
242| Portability | ~ Depends on the method |
243| Maintainability | ~ Depending on the instrumentation, this may require additional builds and scripts |
244|                 | + Many properties come for free, but some require effort (e.g. the test code itself must be leak-free to avoid false positives in a leak detector) |
245
246### Debugger-based testing
247
248If we want to do something in a test that the product isn't capable of doing, we can use a debugger to read or modify the memory, or hook into the code at arbitrary points.
249
250This is a very powerful approach, but it comes with limitations:
251
252* The debugger may introduce behavior changes (e.g. timing). If we modify data structures in memory, we may do so in a way that the code doesn't expect.
253* Due to compiler optimizations, the memory may not have the layout that we expect.
254* Writing reliable debugger scripts is hard. We need to have confidence that we're testing what we mean to test, even in the face of compiler optimizations. Languages such as gdb make it hard to automate even relatively simple things such as finding the place(s) in the binary corresponding to some place in the source code.
255* Debugger scripts are very much non-portable.
256
257| Requirement | Analysis |
258| ----------- | -------- |
259| Coverage | ++ The sky is the limit |
260| Correctness | ++ The code is unmodified, and tested as compiled (so we even detect compiler-induced bugs) |
261|             | ! Compiler optimizations may hinder |
262|             | ~ Modifying the execution may introduce divergence |
263| Effacement | ++ Zero impact on the code |
264| Portability | !! Not all environments have a debugger, and even if they do, we'd need completely different scripts for every debugger |
265| Maintainability | ! Writing reliable debugger scripts is hard |
266|                 | !! Very tight coupling with the details of the source code and even with the compiler |
267
268## Solutions
269
270This section lists some strategies that are currently used for invasive testing, or planned to be used. This list is not intended to be exhaustive.
271
272### Memory management
273
274#### Zeroization testing
275
276Goal: test that `mbedtls_platform_zeroize` does wipe the memory buffer.
277
278Solution ([debugger](#debugger-based-testing)): implemented in `tests/scripts/test_zeroize.gdb`.
279
280Rationale: this cannot be tested by adding C code, because the danger is that the compiler optimizes the zeroization away, and any C code that observes the zeroization would cause the compiler not to optimize it away.
281
282#### Memory cleanup
283
284Goal: test the absence of memory leaks.
285
286Solution ([instrumentation](#runtime-instrumentation)): run tests with ASan. (We also use Valgrind, but it's slower than ASan, so we favor ASan.)
287
288Since we run many test jobs with a memory leak detector, each test function or test program must clean up after itself. Use the cleanup code (after the `exit` label in test functions) to free any memory that the function may have allocated.
289
290#### Robustness against memory allocation failure
291
292Solution: TODO. We don't test this at all at this point.
293
294#### PSA key store memory cleanup
295
296Goal: test the absence of resource leaks in the PSA key store code, in particular that `psa_close_key` and `psa_destroy_key` work correctly.
297
298Solution ([internal interface](#internal-interfaces)): in most tests involving PSA functions, the cleanup code explicitly calls `PSA_DONE()` instead of `mbedtls_psa_crypto_free()`. `PSA_DONE` fails the test if the key store in memory is not empty.
299
300Note there must also be tests that call `mbedtls_psa_crypto_free` with keys still open, to verify that it does close all keys.
301
302`PSA_DONE` is a macro defined in `psa_crypto_helpers.h` which uses `mbedtls_psa_get_stats()` to get information about the keystore content before calling `mbedtls_psa_crypto_free()`. This feature is mostly but not exclusively useful for testing, and may be moved under `MBEDTLS_TEST_HOOKS`.
303
304### PSA storage
305
306#### PSA storage cleanup on success
307
308Goal: test that no stray files are left over in the key store after a test that succeeded.
309
310Solution: TODO. Currently the various test suites do it differently.
311
312#### PSA storage cleanup on failure
313
314Goal: ensure that no stray files are left over in the key store even if a test has failed (as that could cause other tests to fail).
315
316Solution: TODO. Currently the various test suites do it differently.
317
318#### PSA storage resilience
319
320Goal: test the resilience of PSA storage against power failures.
321
322Solution: TODO.
323
324See the [secure element driver interface test strategy](driver-interface-test-strategy.html) for more information.
325
326#### Corrupted storage
327
328Goal: test the robustness against corrupted storage.
329
330Solution ([internal interface](#internal-interfaces)): call `psa_its` functions to modify the storage.
331
332#### Storage read failure
333
334Goal: test the robustness against read errors.
335
336Solution: TODO
337
338#### Storage write failure
339
340Goal: test the robustness against write errors (`STORAGE_FAILURE` or `INSUFFICIENT_STORAGE`).
341
342Solution: TODO
343
344#### Storage format stability
345
346Goal: test that the storage format does not change between versions (or if it does, an upgrade path must be provided).
347
348Solution ([internal interface](#internal-interfaces)): call internal functions to inspect the content of the file.
349
350Note that the storage format is defined not only by the general layout, but also by the numerical values of encodings for key types and other metadata. For numerical values, there is a risk that we would accidentally modify a single value or a few values, so the tests should be exhaustive. This probably requires some compile-time analysis (perhaps the automation for `psa_constant_names` can be used here). TODO
351
352### Other fault injection
353
354#### PSA crypto init failure
355
356Goal: test the failure of `psa_crypto_init`.
357
358Solution ([compile-time option](#compile-time-options)): replace entropy initialization functions by functions that can fail. This is the only failure point for `psa_crypto_init` that is present in all builds.
359
360When we implement the PSA entropy driver interface, this should be reworked to use the entropy driver interface.
361
362#### PSA crypto data corruption
363
364The PSA crypto subsystem has a few checks to detect corrupted data in memory. We currently don't have a way to exercise those checks.
365
366Solution: TODO. To corrupt a multipart operation structure, we can do it by looking inside the structure content, but only when running without isolation. To corrupt the key store, we would need to add a function to the library or to use a debugger.
367
368