Fuzz Everything, Everywhere, All at Once: Scaling Security with GNATfuzz

In industries like aerospace, automotive, and defense, security is not just a feature; it is a requirement (often mandated by standards such as ED-202/DO-326 for aviation or ISO/SAE 21434 for automotive). There are many different aspects to security. In the world of high-integrity software, we often talk about "defense in depth," which means covering security from the beginning of a project and covering as many aspects as realistically possible. AdaCore offers a comprehensive solution for defense in depth, with toolchains supporting memory-safe languages such as Ada and Rust, formal verification through SPARK, Static Analysis for Ada, C/C++, and Rust, and unit testing through GNATtest.

Bridging the Verification Gap: Fuzzing for the Unknown

There is one gap in defense in depth that many projects do not cover sufficiently: the "unknown unknowns", those rare corner cases that slip even the most rigorous procedures of producing high-integrity software. The problem is that these corner cases become harder to find as the amount of software increases. This is where fuzz testing (or fuzzing) comes into play. By feeding massive amounts of semi-randomly generated data into a program to trigger crashes or anomalies, fuzzing uncovers hard-to-reach bugs that humans often fail to imagine.

While fuzzing is widely accepted as an effective technique for significantly increasing an application's security and robustness, it is also well known that fuzzing involves a steep learning curve and significant manual effort. Mainstream fuzzers require engineers to manually identify target subprograms, write custom test harnesses, create a starting corpus, and manage individual fuzzing campaigns. That is a lot of overhead for teams to manage.

This is where AdaCore’s GNATfuzz steps in. It offers a fuzz-testing solution that automates and simplifies the manual, non-intuitive steps of using fuzzers effectively in a professional setting, whether in host or target environments. This automation is achieved through a series of commands that handle the different stages required to detect and fuzz a suitable entry point in a program (typically called a fuzzable subprogram).

The latest release of GNATfuzz further automates the work required to fuzz large applications through the GNATfuzz "fuzz-everything" workflow.

The fuzz-everything workflow provides scalability

The core challenge of fuzzing large-scale projects is scalability. If your project has hundreds of subprograms, which ones should you fuzz? How do you manage the overhead of creating and running a hundred different campaigns?

The new fuzz-everything workflow in GNATfuzz answers these questions by automating and scaling fuzz-testing for large code bases. Instead of targeting one subprogram at a time, it detects all fuzzable subprograms in a project. It then automatically runs all GNATfuzz stages to prepare, launch, and monitor a fuzz-testing campaign for all of the identified fuzzable subprograms or a user-selected subset. Furthermore, it parallelizes execution whenever possible to speed up the process.

How it Works: Inspect and Test

The workflow is designed to be seamless. It typically starts with the inspect command:

$ gnatfuzz fuzz-everything inspect -P my_project.gpr

This command scans your project and provides a high-level overview of your "fuzzing surface." It identifies subprograms that are prime candidates for testing, often called fuzzable. It also indicates other important parameters that the user should consider during a fuzz-everything session, such as the number of available cores on their system.

Once you’re ready, you trigger the campaign via the test command (in its simplest configuration):

$ gnatfuzz fuzz-everything test -P my_project.gpr

The workflow will handle the heavy lifting of orchestrating fuzz testing for all fuzzable subprograms and managing execution across your available CPU cores.

Project-Wide Insights

The real magic happens after the fuzzing starts. Because it operates project-wide, fuzz-everything doesn’t just give you a list of crashes; it also provides an aggregated project-wide coverage report using GNATcoverage. This allows developers to see exactly which parts of the source code have been "stressed" by the fuzzer and, perhaps more importantly, which parts remain untested. It also helps track progress across multiple fuzz-everything sessions.

GNATtest Integration

Fuzz-everything will store all test cases generated within a campaign in a JSON format. GNATtest can automatically load this JSON file and use all its test cases for GNATtest-generated test harnesses of the same project.

Why This Matters

GNATfuzz’s fuzz-everything workflow brings three critical advantages:

• Automation at Scale: The fuzz-everything workflow significantly automates vulnerability and security testing by transforming the traditionally manual effort involved in fuzzing multiple subprograms into a scalable, push-button process.
• Early Discovery: By running regular project-wide fuzzing campaigns during development, you can catch vulnerabilities, such as buffer overflows and logic errors, long before the code reaches integration.
• Unified Ecosystem Integration: GNATfuzz doesn't live in a vacuum. It shares test-case and coverage formats with the rest of the GNAT Dynamic Analysis Suite. This means your fuzzing results feed directly into the same reporting pipeline you already use for unit testing and structural coverage.

Conclusion

If you are developing high-integrity systems, GNATfuzz can provide the extra layer of security analysis required by modern certification standards. While the fuzz-everything workflow is still in beta, it has been battle-tested with customers running it on demand on dedicated machines, successfully capturing hard-to-find bugs in large code bases.

At AdaCore, we are dedicated to further scaling our Dynamic Analysis Suite to deliver even greater value across the high-integrity software landscape. The 'fuzz-everything' workflow represents a significant advancement in our mission. Ongoing enhancements to GNATfuzz continue to solidify its position as a cornerstone of the modern software verification pipeline.

To learn more about GNATfuzz and the GNAT Dynamic Analysis Suite, visit our documentation or contact us for a demo.