Advanced Fuzz Testing

GNATfuzz leverages compiler-assisted fuzzing to detect software bugs and potentially exploitable vulnerabilities.

An early beta test release of GNATfuzz will be made available to existing GNAT Pro subscribers. In addition, if you'd like to be kept informed about the development of GNATfuzz please use the form below to register your interest. GNATfuzz is available as part of the GNAT Dynamic Analysis Suite.

    

Key Features


Check

Automated User Code Analysis

GNATfuzz identifies "fuzzable subprograms" within an Ada application that can be used as fuzz test injection points.

Check

Automated Fuzz Test Harness Generation and Build Mechanism

GNATfuzz automates the production of fuzz test harnesses to wrap fuzzable Ada subprograms under test. The generated harness decodes mutated binary test case files and sends the data directly into the subprogram under test.

In addition, a supporting build, execute and coverage analysis infrastructure is also automatically generated.

Check

Automated Starting Corpus Generator

Each fuzz testing campaign requires an initial set of input data known as the "Starting Corpus".

The aim with corpus generation is to provide a wide range of meaningful values in order to maximize the chances of each test case finding a new path of execution through a subprogram's control flow graph. GNATfuzz can automate the generation of an Ada-aware Starting Corpus for Ada fuzz testing campaigns.

Check

Automated Fuzz Testing Campaign Execution, Monitoring and Stopping

A key design requirement of GNATfuzz is to encapsulate the complexity of setting up and executing smart-grey-box fuzz tests through the use of automation and encapsulation.

Executing Ada fuzz testing campaigns through GNATfuzz is as simple as invoking "GNATfuzz fuzz" on the automatically generated test harness GPR file.

However, behind the scenes, sophisticated GCC compiler passes are invoked on the user code to add instrumentation around the assembly level basic blocks. The back-end AFL++ fuzzing engine is then invoked to mutate the generated Starting Corpus and inject new test cases into the automatically generated test harness. Test cases that find a new path of execution are retained and will undergo further mutations. This ensures the fuzzer is able to explore deeper into the code base than other forms of random injection testing. If, during test execution, an anomaly is detected, the associated test case is kept. This ensures that software bugs, and therefore potential security vulnerabilities, can be easily reproduced and fixed.

GNATfuzz includes a seamless and fully automated integration with GNATcoverage ensuring that a statement-coverage analysis of the fuzz testing campaign is made available in realtime.

GNATfuzz allows the user to define a "Stopping Criteria'' for each fuzzing campaign. This is used to stipulate the conditions under which sufficient evidence has been collated to argue a satisfactory level of security assurance has been observed.

Check

IDE Integration and Test Replay

Users of GNAT Studio can benefit from an integration of GNATfuzz directly into their development environment. The plugin provides a simplified invocation of all GNATfuzz features through IDE context menus. In addition, a realtime visual representation of coverage analysis and the ability to replay test cases within a debug environment is also provided.

Resources

AdaCore presented GNATfuzz at the 2021 High Integrity Software conference. Checkout the full presentation to learn more about GNATfuzz, fuzz testing in general and the role it can play in software safety and security assurance.

Other Resources

Advanced Fuzz Testing with AFL++ 3.0

Read Blog

Fuzz Testing International Aerospace Guidelines

Read Blog

Guidelines and Considerations Around ED-203A / DO-356A Security Refutation Objectives

Read the Paper

Online Manual (Coming Soon)