AdaCore provides software development and verification technologies for high integrity systems used in aerospace, automotive, and defense applications. Learn more >>
AdaCore’s portfolio supports a defense in depth approach through toolchains for memory safe languages such as Ada and Rust, formal verification with SPARK, static analysis for Ada, C, C++, and Rust, unit testing with GNATtest, and automated fuzz testing through GNATfuzz. In these industries, security is often a mandatory requirement, driven by standards such as ED-202/DO-326 for aviation and ISO/SAE 21434 for automotive.
While these technologies provide comprehensive support for software verification, one challenge often remains. Rare corner cases, sometimes described as so-called “unknown unknowns,” can still escape even rigorous development and verification processes. As software applications continue to grow in size and complexity, identifying these scenarios becomes increasingly difficult.
Closing the Verification Gap with Fuzz Testing
Fuzz testing, or fuzzing, helps uncover these difficult-to-find defects by supplying large volumes of semi-randomly generated input data to a program in an effort to trigger crashes or unexpected behavior. This approach can expose vulnerabilities and software anomalies that developers may not anticipate during conventional verification activities.
Although fuzzing is widely recognized as an effective technique for improving software security and robustness, deploying it has traditionally required considerable expertise and manual effort.
Engineers typically need to identify suitable target subprograms, develop custom test harnesses, create an initial input corpus, and manage individual fuzzing campaigns. For large software projects, these activities can become a significant overhead.
GNATfuzz addresses these challenges by automating and simplifying many of the non-intuitive steps involved in professional fuzz testing, whether in host or target environments. Through a series of commands, the tool performs the stages required to identify and fuzz suitable entry points within an application, typically referred to as fuzzable subprograms.
The latest release of GNATfuzz extends this automation with the introduction of the fuzz-everything workflow, designed to improve scalability when fuzz testing large software projects.
Automating Project-Wide Fuzz Testing
Scalability is one of the primary challenges when fuzzing large code bases. Projects containing hundreds of subprograms require developers to determine which functions should be fuzzed and how to manage the effort involved in creating and running numerous individual campaigns.
The fuzz-everything workflow addresses this by automatically detecting fuzzable subprograms throughout a project. It then executes the required GNATfuzz stages to prepare, launch, and monitor fuzz testing for all identified fuzzable subprograms, or for a user-selected subset. Wherever possible, execution is parallelized to accelerate the process.
Inspecting the Fuzzing Surface
A typical workflow begins with the inspect command:
$ gnatfuzz fuzz-everything inspect -P my_project.gpr
This command analyzes the project to provide a high level overview of its fuzzing surface by identifying subprograms that are suitable candidates for fuzz testing. It also reports additional information that users should consider before launching a campaign, including the number of processor cores available on the system.
Once the project has been inspected, fuzz testing can be started using the test command:
$ gnatfuzz fuzz-everything test -P my_project.gpr
GNATfuzz then orchestrates fuzz testing across the selected fuzzable subprograms while managing execution across the available CPU cores.
Project-Wide Coverage Reporting
In addition to reporting crashes and anomalies, the fuzz-everything workflow generates an aggregated project-wide coverage report using GNATcoverage. This allows developers to identify which areas of the source code have been exercised by fuzz testing and which portions remain untested. The reporting also makes it easier to monitor progress across multiple fuzz-everything sessions.
GNATtest Integration
All test cases generated during a fuzzing campaign are stored in JSON format. GNATtest can automatically import these files and use the generated test cases with GNATtest-generated test harnesses for the same project, allowing fuzz testing results to become part of an existing verification workflow.
Benefits of the Fuzz-Everything Workflow
By automating campaign preparation and execution across multiple subprograms, the fuzz-everything workflow significantly reduces the manual effort traditionally associated with large-scale fuzz testing. Running project-wide campaigns throughout development also helps identify vulnerabilities, including buffer overflows and logic errors, long before code reaches integration.
GNATfuzz also integrates with the GNAT Dynamic Analysis Suite by sharing test case and coverage formats with the suite’s other tools. As a result, fuzz testing results can be incorporated into the same reporting pipeline used for unit testing and structural coverage, providing a more unified verification workflow.
Strengthening Software Verification
For organizations developing high integrity systems, GNATfuzz provides an additional layer of security analysis that can help address the requirements of modern certification standards. Although the fuzz-everything workflow is currently in beta, it has been used by customers running on-demand campaigns on dedicated machines, where it has successfully identified difficult-to-find defects in large code bases.
AdaCore continues to expand the capabilities of its GNAT Dynamic Analysis Suite to improve scalability across the software verification process. The fuzz-everything workflow represents an important step in that effort, with ongoing enhancements to GNATfuzz continuing to expand the capabilities available for software verification.
Additional information about GNATfuzz and the GNAT Dynamic Analysis Suite is available through AdaCore’s documentation, and demonstrations can be arranged by contacting the company.






