Enhancing VMF: Source-agnostic Techniques for Code Coverage, Crash Triage, and Harnessing
Funding Agency: Test Resource Management Center via an Engineering Change Plan (ECP) through the DARPA Compartmentalization and Privilege Management (CPM) program
Dates: 01-DEC-2025 through 31-DEC-2027
Collaborative proposal with the University of Utah and Virginia Tech

Figure 1. Vader Modular Fuzzer
In addition to the effort’s relevance to DoD’s VMF project, the effort will also advance HERCULES, the University of Virginia’s Compartmentalization and Privilege Management (CPM) DARPA project. Compartmentalization of software requires precise dynamic analysis which requires a robust set of inputs. The VMF effort will provide technologies for generating robust test inputs–wide coverage of the application–for dynamic analysis and tracing. The remainder of this section summarizes our technical approach, the intellectual claims, and deliverables of the proposal.
Software fuzzing faces significant challenges on closed-source binaries. Namely, binaries’ lack of semantic information (e.g., function return and argument types) challenges fuzzers’ ability to inject critical coverage-tracking or bug-detecting probes, perform post-fuzzing crash triage, or obtain fuzzable interfaces for the target codebase. Even for open-source software (e.g., APIs), practitioners must painstakingly piece-together the correct semantics before obtaining fuzzable interfaces, which currently demands significant manual effort.
The proposed work advances the state-of-the-art in software fuzzing with new techniques that (1) bridge the performance gap between source- and binary-level code coverage tracing; (2) introduce the first fuzzing-oriented sanitizers for binary-only fuzzing; and (3) extend principled automated strategies to the otherwise tedious task of source- and binary-level harnessing. As a whole, the proposed deliverables will improve VMF with more practical, performant, and source-agnostic capabilities for large-scale fuzzing of DoD software.
