Enhancing VMF: Source-agnostic Techniques for Code Coverage, Crash Triage, and Harnessing

Funding Agency: Test Resource Management Center via an Engineering Change Plan (ECP) through the DARPA Compartmentalization and Privilege Management (CPM) program
Award: $4,410,000
Dates: 01-DEC-2025 through 31-DEC-2027
Collaborative proposal with the University of Utah and Virginia Tech

Stacks Image 25
The Department of Defense (DoD) Test Resource Management Center (TRMC) has identified fuzzing technologies to enable fuzz testing of DoD systems as a high priority need and is funding several performers to develop the Vader Modular Fuzzer (VMF). As shown in Figure 1, the proposed effort (red box) will create additional modules for VMF and additional tools for the VMF ecosystem. In particular, the effort will adapt existing technologies and develop new source-agnostic fuzzing techniques for code coverage, crash triage and harnessing within the VMF ecosystem.


Pasted Graphic
Figure 1. Vader Modular Fuzzer


In addition to the effort’s relevance to DoD’s VMF project, the effort will also advance HERCULES, the University of Virginia’s Compartmentalization and Privilege Management (CPM) DARPA project. Compartmentalization of software requires precise dynamic analysis which requires a robust set of inputs. The VMF effort will provide technologies for generating robust test inputs–wide coverage of the application–for dynamic analysis and tracing. The remainder of this section summarizes our technical approach, the intellectual claims, and deliverables of the proposal.

Software fuzzing faces significant challenges on closed-source binaries. Namely, binaries’ lack of semantic information (e.g., function return and argument types) challenges fuzzers’ ability to inject critical coverage-tracking or bug-detecting probes, perform post-fuzzing crash triage, or obtain fuzzable interfaces for the target codebase. Even for open-source software (e.g., APIs), practitioners must painstakingly piece-together the correct semantics before obtaining fuzzable interfaces, which currently demands significant manual effort.

The proposed work advances the state-of-the-art in software fuzzing with new techniques that (1) bridge the performance gap between source- and binary-level code coverage tracing; (2) introduce the first fuzzing-oriented sanitizers for binary-only fuzzing; and (3) extend principled automated strategies to the otherwise tedious task of source- and binary-level harnessing. As a whole, the proposed deliverables will improve VMF with more practical, performant, and source-agnostic capabilities for large-scale fuzzing of DoD software.


Stacks Image 16