Advanced Fuzz Testing

Key Features

Automated User Code Analysis

GNATfuzz identifies "fuzzable subprograms" within an Ada application that can be used as fuzz test injection points.

Automated Fuzz Test Harness Generation and Build Mechanism

GNATfuzz automates the production of fuzz test harnesses to wrap fuzzable Ada subprograms under test. The generated harness decodes mutated binary test case files and sends the data directly into the subprogram under test.

In addition, a supporting build, execute and coverage analysis infrastructure is also automatically generated.

Automated Starting Corpus Generator

Each fuzz testing campaign requires an initial set of input data known as the "Starting Corpus".

The aim with corpus generation is to provide a wide range of meaningful values in order to maximize the chances of each test case finding a new path of execution through a subprogram's control flow graph. GNATfuzz can automate the generation of an Ada-aware Starting Corpus for Ada fuzz testing campaigns.

Automated Fuzz Testing Campaign Execution, Monitoring and Stopping

A key design requirement of GNATfuzz is to encapsulate the complexity of setting up and executing smart-grey-box fuzz tests through the use of automation and encapsulation.

Executing Ada fuzz testing campaigns through GNATfuzz is as simple as invoking "GNATfuzz fuzz" on the automatically generated test harness GPR file.

However, behind the scenes, sophisticated GCC compiler passes are invoked on the user code to add instrumentation around the assembly level basic blocks. The back-end AFL++ fuzzing engine is then invoked to mutate the generated Starting Corpus and inject new test cases into the automatically generated test harness. Test cases that find a new path of execution are retained and will undergo further mutations. This ensures the fuzzer is able to explore deeper into the code base than other forms of random injection testing. If, during test execution, an anomaly is detected, the associated test case is kept. This ensures that software bugs, and therefore potential security vulnerabilities, can be easily reproduced and fixed.

GNATfuzz includes a seamless and fully automated integration with GNATcoverage ensuring that a statement-coverage analysis of the fuzz testing campaign is made available in realtime.

GNATfuzz allows the user to define a "Stopping Criteria'' for each fuzzing campaign. This is used to stipulate the conditions under which sufficient evidence has been collated to argue a satisfactory level of security assurance has been observed.

IDE Integration and Test Replay

Users of GNAT Studio can benefit from an integration of GNATfuzz directly into their development environment. The plugin provides a simplified invocation of all GNATfuzz features through IDE context menus. In addition, a realtime visual representation of coverage analysis and the ability to replay test cases within a debug environment is also provided.