GNATfuzz leverages compiler-assisted fuzzing to detect software bugs and potentially exploitable vulnerabilities.
An early beta test release of GNATfuzz will be made available to existing GNAT Pro subscribers. In addition, if you'd like to be kept informed about the development of GNATfuzz please use the form below to register your interest. GNATfuzz is available as part of the GNAT Dynamic Analysis Suite.
Automated Fuzz Test Harness Generation and Build Mechanism
GNATfuzz automates the production of fuzz test harnesses to wrap fuzzable Ada subprograms under test. The generated harness decodes mutated binary test case files and sends the data directly into the subprogram under test.
In addition, a supporting build, execute and coverage analysis infrastructure is also automatically generated.
Automated Starting Corpus Generator
Each fuzz testing campaign requires an initial set of input data known as the "Starting Corpus".
The aim with corpus generation is to provide a wide range of meaningful values in order to maximize the chances of each test case finding a new path of execution through a subprogram's control flow graph. GNATfuzz can automate the generation of an Ada-aware Starting Corpus for Ada fuzz testing campaigns.
Automated Fuzz Testing Campaign Execution, Monitoring and Stopping
A key design requirement of GNATfuzz is to encapsulate the complexity of setting up and executing smart-grey-box fuzz tests through the use of automation and encapsulation.
Executing Ada fuzz testing campaigns through GNATfuzz is as simple as invoking "GNATfuzz fuzz" on the automatically generated test harness GPR file.
However, behind the scenes, sophisticated GCC compiler passes are invoked on the user code to add instrumentation around the assembly level basic blocks. The back-end AFL++ fuzzing engine is then invoked to mutate the generated Starting Corpus and inject new test cases into the automatically generated test harness. Test cases that find a new path of execution are retained and will undergo further mutations. This ensures the fuzzer is able to explore deeper into the code base than other forms of random injection testing. If, during test execution, an anomaly is detected, the associated test case is kept. This ensures that software bugs, and therefore potential security vulnerabilities, can be easily reproduced and fixed.
GNATfuzz includes a seamless and fully automated integration with GNATcoverage ensuring that a statement-coverage analysis of the fuzz testing campaign is made available in realtime.
GNATfuzz allows the user to define a "Stopping Criteria'' for each fuzzing campaign. This is used to stipulate the conditions under which sufficient evidence has been collated to argue a satisfactory level of security assurance has been observed.
IDE Integration and Test Replay
Users of GNAT Studio can benefit from an integration of GNATfuzz directly into their development environment. The plugin provides a simplified invocation of all GNATfuzz features through IDE context menus. In addition, a realtime visual representation of coverage analysis and the ability to replay test cases within a debug environment is also provided.