Cybersecurity and Fuzzing
In today’s world, frequent and sophisticated cybersecurity threats are a reality. The U.S. government and the commercial cyber industry are using a variety of tools to detect and mitigate these threats. These include more secure coding languages, improved software design and development practices, advanced software security testing, real-time network monitoring and adaptation, and post-attack forensic tools.
Fuzzing is an automated software testing technology used to detect software flaws that may leave programs open to cyber exploitation. Fuzzing finds a program’s cyber vulnerabilities by repeatedly introducing different data inputs to test for unwanted behaviors such as crashes or memory faults. Tech companies such as Google and Microsoft employ fuzzing throughout the software development lifecycle, from early development through deployment, to detect and correct software bugs that could lead to cybersecurity exploits by malicious actors.
Why the Vader Modular Fuzzer (VMF)
There is a plethora of open source fuzzers available. The problem is that most fuzzers are designed for a specific category of software and it is not easy to mix and match technologies from different fuzzers to address unique combinations of languages, operating systems, program types, etc. The fuzzing community needs a reusable, composable, modular fuzzing framework.
Draper’s Development of the Vader Modular Fuzzer (VMF)
Draper recognized the need for a modular fuzzing framework in the late 2010s and invested in an internal research and development (IRAD) program to develop a modular fuzzing architecture. Lessons learned from the early Draper IRAD, as well as insights from similar efforts of others such as LibAFL, allowed Draper to advance the concept even further with the Vader Modular Fuzzer.
Draper is providing the Vader Modular Fuzzer (VMF) as an open-source advanced fuzzing architecture. Its development was funded by the Office of Under Secretary of Defense (Research and Engineering) Test Resource Management Center, Test and Evaluation/Science and Technology Program Office. VMF streamlines, facilitates, and simplifies module development and integration, allowing new fuzzing technologies to quickly evolve to meet U.S. government needs.
Accessing and Contributing to VMF
VMF is now available to the public on GitHub and has a companion GitHub repository for early VMF research concepts. In addition, the VMF Government version is available in a separate repository. VMF is being adopted by multiple government agencies, companies and academics, and further development is being initiated by users of this architecture to add to its fuzzing capabilities. Multiple updates are scheduled each year.
For questions about VMF email: vmf@draper.com.