During the process of producing software products, engineers unintentionally create vulnerabilities that are later discovered and mitigated. We hope that by paying greater attention to the early phases of the development lifecycle, we can change the nature of the engineering process to detect and eliminate—and later avoid—vulnerabilities before products ship. We plan to achieve this goal by placing knowledge, techniques, and tools in the hands of engineers to help them understand how vulnerabilities are created and discovered so that they can learn to avoid them. To achieve this goal, we have developed the following related tools.

  • Dranzer discovers certain classes of vulnerabilities in Microsoft Windows ActiveX controls.
  • Basic Fuzzing Framework (BFF) is a mutational file fuzz testing tool that consists of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts.
  • Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.
  • CERT Triage Tools assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing.

2010 CERT Vulnerability Discovery Workshop

In February 2010, the CERT/CC hosted a workshop to explore the state of the art and practice of vulnerability discovery. Attendees from five countries included several major software vendors, leading vulnerability researchers, and US-CERT analysts. The formal talks are listed in the below and include links to slides and other materials when available.

  • What Is Vulnerability Discovery—Actors, Methods, and Results (Juhani "Jussi" Eronen, CERT-FI)
    In this presentation, Juhani Eronen discusses vulnerability discovery, who is doing it and why, and how discovery work is being conducted.
  • Zero Knowledge Fuzzing (Vincenzo Iozzo, zynamics)
    The paper and slides demonstrate how to effectively fuzz with no knowledge of the user-input and the binary.
  • A Maze of Twisty Passages all Alike: A Bottom-Up Exploration of Open Source Fuzzers and Fuzzing Frameworks (Matt Franz, SAIC)
    This presentation describes a bottom-up exploration of open source fuzzing tools and frameworks.
  • Effective Fuzzing Strategies  (David Molnar and Lars Opstad, Microsoft)
    This presentation discusses how to know if your fuzzing is effective, describes approaches to take, outlines what to look for during fuzzing, and shows the user how to know how much fuzzing is enough.
  • Realizing the Fuzzing Potential: Precision and Accuracy versus Coverage (Mikko Varpiola, Codenomicon)
    This presentation describes DEFENSICS, a product line of model-based fuzzers for over 200 protocols and interfaces.
  • Instrumented Fuzzing with AIR Integers (Will Dormann and Robert Seacord, CERT)
    In this paper and presentation, Dormann and Seacord present the as-if infinitely ranged (AIR) integer model, which provides a largely automated mechanism for eliminating integer overflow, truncation, and other integral exceptional conditions.
  • Identifying Fault Location in Closed Source Software via Trace Collection and Mining (Jared DeMott, Harris Crucial Security Programs). For more information about this presentation, contact VDA Labs - Execution Mining and VDA Labs - Resources.