GNATfuzz is available as part of the GNAT Dynamic Analysis Suite.
GNATfuzz leverages compiler-assisted fuzzing to detect software bugs and exploitable vulnerabilities.
Fuzzing (or fuzz testing) is an automated testing technique that automatically and repeatedly executes tests and generates new test cases at a very high frequency to detect faulty behavior of the system under test. Such erroneous behavior is captured by monitoring the system for triggered exceptions, failing built-in assertions, and signals such as SIGSEGV.
Fuzz testing is widely associated with cybersecurity. It has proven to be an effective mechanism for finding corner-case vulnerabilities that traditional human-driven verification mechanisms, such as unit and integration testing, can miss. Such vulnerabilities can often lead to malicious exploitations.
However, fuzz-testing campaigns are complex and time-consuming to construct, execute and monitor. GNATfuzz simplifies the process by analyzing a code base and identifying subprograms that can act as fuzz-test entry points. GNATfuzz then automates the creation of test harnesses suitable for fuzzing. In addition, GNATfuzz will automate the building, executing and analyzing of fuzz-testing campaigns.
GNATfuzz is a valuable tool for all Ada software across the entire spectrum of application domains. It is also essential in systems requiring high levels of security assurance, and security-related safety assurance, since it simplifies the effort needed to implement fuzz-testing campaigns that meet the objectives of certification standards such as ED-202A and DO-326A.
Automated Fuzz Test Harness Generation and Build Mechanism
GNATfuzz automates the production of fuzz test harnesses to wrap fuzzable Ada subprograms under test. The generated harness decodes mutated binary test case files and sends the data directly into the subprogram under test.
In addition, a supporting build, execute and coverage analysis infrastructure is also automatically generated.
Automated Starting Corpus Generator
Each fuzz testing campaign requires an initial set of input data known as the "Starting Corpus".
The aim with corpus generation is to provide a wide range of meaningful values in order to maximize the chances of each test case finding a new path of execution through a subprogram's control flow graph. GNATfuzz can automate the generation of an Ada-aware Starting Corpus for Ada fuzz testing campaigns.
Automated Fuzz Testing Campaign Execution, Monitoring and Stopping
A key design requirement of GNATfuzz is to encapsulate the complexity of setting up and executing smart-grey-box fuzz tests through the use of automation and encapsulation.
Executing Ada fuzz testing campaigns through GNATfuzz is as simple as invoking "GNATfuzz fuzz" on the automatically generated test harness GPR file.
However, behind the scenes, sophisticated GCC compiler passes are invoked on the user code to add instrumentation around the assembly level basic blocks. The back-end AFL++ fuzzing engine is then invoked to mutate the generated Starting Corpus and inject new test cases into the automatically generated test harness. Test cases that find a new path of execution are retained and will undergo further mutations. This ensures the fuzzer is able to explore deeper into the code base than other forms of random injection testing. If, during test execution, an anomaly is detected, the associated test case is kept. This ensures that software bugs, and therefore potential security vulnerabilities, can be easily reproduced and fixed.
GNATfuzz includes a seamless and fully automated integration with GNATcoverage ensuring that a statement-coverage analysis of the fuzz testing campaign is made available in realtime.
GNATfuzz allows the user to define a "Stopping Criteria'' for each fuzzing campaign. This is used to stipulate the conditions under which sufficient evidence has been collated to argue a satisfactory level of security assurance has been observed.
IDE Integration and Test Replay
Users of GNAT Studio can benefit from an integration of GNATfuzz directly into their development environment. The plugin provides a simplified invocation of all GNATfuzz features through IDE context menus. In addition, a realtime visual representation of coverage analysis and the ability to replay test cases within a debug environment is also provided.
Guidelines and Considerations Around ED-203A / DO-356A Security Refutation ObjectivesRead the Paper