diff --git a/trusty/confirmationui/fuzz/Android.bp b/trusty/confirmationui/fuzz/Android.bp
index 12bb70a69..ba571914d 100644
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@@ -17,11 +17,27 @@ package {
 }
 
 cc_fuzz {
-    name: "trusty_confirmationui_fuzzer",
+    name: "trusty_confirmationui_tipc_fuzzer",
     defaults: ["trusty_fuzzer_defaults"],
-    srcs: ["fuzz.cpp"],
+    srcs: [":trusty_tipc_fuzzer"],
+    cflags: [
+        "-DTRUSTY_APP_PORT=\"com.android.trusty.confirmationui\"",
+        "-DTRUSTY_APP_UUID=\"7dee2364-c036-425b-b086-df0f6c233c1b\"",
+        "-DTRUSTY_APP_FILENAME=\"confirmationui.syms.elf\"",
+    ],
 
-    // The initial corpus for this fuzzer was derived by dumping bytes from
-    // ConfirmationUI VTS.
-    corpus: ["corpus/*"],
+}
+
+cc_fuzz {
+    name: "trusty_confirmationui_msg_fuzzer",
+    defaults: ["trusty_fuzzer_defaults"],
+    srcs: ["msg_fuzzer.cpp"],
+    include_dirs: ["system/core/trusty/confirmationui/include"],
+    shared_libs: [
+        "libdmabufheap",
+    ],
+
+    // The initial corpus for this fuzzer was derived by dumping messages from/to
+    // HAL to/from TA triggered by VtsHalConfirmationUIV1_0TargetTest.
+    corpus: ["msg_corpus/*"],
 }
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
deleted file mode 100644
index 53fe0c99f..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
deleted file mode 100644
index bda80fdbc..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
deleted file mode 100644
index f5854f833..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
deleted file mode 100644
index 0dc6e91f7..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
deleted file mode 100644
index 927d64dd9..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
deleted file mode 100644
index 87870ca7e..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
deleted file mode 100644
index 0b274bf90..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
deleted file mode 100644
index 87870ca7e..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
deleted file mode 100644
index 87870ca7e..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
deleted file mode 100644
index b4a1c49ef..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
deleted file mode 100644
index 5adf90513..000000000
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN and /dev/null differ
diff --git a/trusty/confirmationui/fuzz/fuzz.cpp b/trusty/confirmationui/fuzz/fuzz.cpp
deleted file mode 100644
index df2517c8c..000000000
--- a/trusty/confirmationui/fuzz/fuzz.cpp
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <iostream>
-#include <stdlib.h>
-#include <trusty/coverage/coverage.h>
-#include <trusty/fuzz/counters.h>
-#include <trusty/fuzz/utils.h>
-#include <unistd.h>
-
-using android::trusty::coverage::CoverageRecord;
-using android::trusty::fuzz::ExtraCounters;
-using android::trusty::fuzz::TrustyApp;
-
-#define TIPC_DEV "/dev/trusty-ipc-dev0"
-#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
-#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
-
-/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
-static struct uuid confirmationui_uuid = {
-    0x7dee2364,
-    0xc036,
-    0x425b,
-    {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
-};
-
-/* The format of the packets is as following:
- * 16 bits (uint16_t, header) + payload bytes
- * The 16 bits header spicify the number of bytes of payload (header excluded).
- */
-struct data_packet {
-    uint16_t header;
-    uint8_t payload[];
-};
-
-static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
-
-extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
-    auto ret = record.Open();
-    if (!ret.ok()) {
-        std::cerr << ret.error() << std::endl;
-        exit(-1);
-    }
-    return 0;
-}
-
-/* Each corpus contains one or more data packets. */
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-    static uint8_t buf[TIPC_MAX_MSG_SIZE];
-    size_t data_idx = 0;
-
-    ExtraCounters counters(&record);
-    counters.Reset();
-
-    TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
-    auto ret = ta.Connect();
-    if (!ret.ok()) {
-        android::trusty::fuzz::Abort();
-    }
-
-    while (data_idx < size) {
-        struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
-        size_t payload_size = data_packet_ptr->header;
-        data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);
-
-        /* Write message to confirmationui server */
-        ret = ta.Write(data_packet_ptr->payload, payload_size);
-        if (!ret.ok()) {
-            return -1;
-        }
-
-        /* Read message from confirmationui server */
-        ret = ta.Read(&buf, sizeof(buf));
-        if (!ret.ok()) {
-            return -1;
-        }
-    }
-
-    return 0;
-}
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl
new file mode 100644
index 000000000..c8741fbdf
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b
new file mode 100644
index 000000000..168242791
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi
new file mode 100644
index 000000000..d48e5a167
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq
new file mode 100644
index 000000000..6f72ad5c5
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff
new file mode 100644
index 000000000..64a159c58
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb
new file mode 100644
index 000000000..64a159c58
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t
new file mode 100644
index 000000000..64a159c58
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5
new file mode 100644
index 000000000..556828d24
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP
new file mode 100644
index 000000000..8be96c587
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj
new file mode 100644
index 000000000..e69de29bb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
similarity index 96%
rename from trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
rename to trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
index d627b01a0..b944d949a 100644
Binary files a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX
new file mode 100644
index 000000000..1d9374d4b
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz
new file mode 100644
index 000000000..b3be8cd7a
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn
new file mode 100644
index 000000000..4190adf33
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS
new file mode 100644
index 000000000..1d9374d4b
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30
new file mode 100644
index 000000000..38e3fca1c
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC
new file mode 100644
index 000000000..4190adf33
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG
new file mode 100644
index 000000000..4190adf33
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs
new file mode 100644
index 000000000..cbfd07a97
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp
new file mode 100644
index 000000000..ecaec1233
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE
new file mode 100644
index 000000000..58b1526a2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r
new file mode 100644
index 000000000..af570ea46
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs
new file mode 100644
index 000000000..e4b99fb7a
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang
new file mode 100644
index 000000000..d1149560d
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb
new file mode 100644
index 000000000..6caf7ddb6
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14
new file mode 100644
index 000000000..ecaec1233
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw
new file mode 100644
index 000000000..36445d957
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC
new file mode 100644
index 000000000..f6c6dcf6b
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5 differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH
new file mode 100644
index 000000000..d6ba1fc10
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC
new file mode 100644
index 000000000..7392034c2
Binary files /dev/null and b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC differ
diff --git a/trusty/confirmationui/fuzz/msg_fuzzer.cpp b/trusty/confirmationui/fuzz/msg_fuzzer.cpp
new file mode 100644
index 000000000..8e4443c78
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_fuzzer.cpp
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BufferAllocator/BufferAllocator.h>
+#include <TrustyIpc.h>
+#include <iostream>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <time.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <trusty/tipc.h>
+#include <unistd.h>
+
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define countof(arr) (sizeof(arr) / sizeof(arr[0]))
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
+#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
+
+/* A request to render to screen may take a while. */
+const size_t kTimeoutSeconds = 30;
+
+/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
+static struct uuid confirmationui_uuid = {
+    0x7dee2364,
+    0xc036,
+    0x425b,
+    {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
+};
+
+static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
+
+static android::base::unique_fd dma_buf;
+static void* shm_base;
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+    auto ret = record.Open();
+    if (!ret.ok()) {
+        std::cerr << ret.error() << std::endl;
+        exit(-1);
+    }
+
+    BufferAllocator allocator;
+    dma_buf.reset(allocator.Alloc(kDmabufSystemHeapName, CONFIRMATIONUI_MAX_MSG_SIZE));
+    if (dma_buf < 0) {
+        std::cerr << "Failed to allocate dma_buf" << std::endl;
+        exit(-1);
+    }
+
+    shm_base = mmap(0, CONFIRMATIONUI_MAX_MSG_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
+    if (shm_base == MAP_FAILED) {
+        std::cerr << "Failed to mmap() dma_buf" << std::endl;
+        exit(-1);
+    }
+
+    return 0;
+}
+
+static bool Init(int chan, int dma_buf) {
+    confirmationui_hdr hdr = {
+        .cmd = CONFIRMATIONUI_CMD_INIT,
+    };
+    confirmationui_init_req args = {
+        .shm_len = CONFIRMATIONUI_MAX_MSG_SIZE,
+    };
+    iovec iov[] = {
+        {
+            .iov_base = &hdr,
+            .iov_len = sizeof(hdr),
+        },
+        {
+            .iov_base = &args,
+            .iov_len = sizeof(args),
+        },
+    };
+    trusty_shm shm = {
+        .fd = dma_buf,
+        .transfer = TRUSTY_SHARE,
+    };
+
+    int rc = tipc_send(chan, iov, countof(iov), &shm, 1);
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    rc = read(chan, &hdr, sizeof(hdr));
+    if (rc != static_cast<int>(sizeof(hdr))) {
+        return false;
+    }
+
+    return true;
+}
+
+static bool Msg(int chan, const uint8_t* data, size_t size) {
+    confirmationui_hdr hdr = {
+        .cmd = CONFIRMATIONUI_CMD_MSG,
+    };
+    confirmationui_msg_args args = {
+        .msg_len = static_cast<uint32_t>(size),
+    };
+    iovec iov[] = {
+        {
+            .iov_base = &hdr,
+            .iov_len = sizeof(hdr),
+        },
+        {
+            .iov_base = &args,
+            .iov_len = sizeof(args),
+        },
+    };
+
+    memset(shm_base, 0, CONFIRMATIONUI_MAX_MSG_SIZE);
+    memcpy(shm_base, data, size);
+
+    int rc = tipc_send(chan, iov, countof(iov), NULL, 0);
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    rc = readv(chan, iov, countof(iov));
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    ExtraCounters counters(&record);
+    counters.Reset();
+
+    TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
+    auto ret = ta.Connect();
+    if (!ret.ok()) {
+        android::trusty::fuzz::Abort();
+    }
+    int chan = *ta.GetRawFd();
+
+    alarm(kTimeoutSeconds);
+    bool success = Init(chan, dma_buf);
+    alarm(0);
+    if (!success) {
+        android::trusty::fuzz::Abort();
+    }
+
+    alarm(kTimeoutSeconds);
+    success = Msg(chan, data, size);
+    alarm(0);
+    if (!success) {
+        android::trusty::fuzz::Abort();
+    }
+
+    return 0;
+}