During the process of producing software products, engineers unintentionally create vulnerabilities that are later discovered and mitigated. We hope that by paying greater attention to the early phases of the development lifecycle, we can change the nature of the engineering process to detect and eliminate—and later avoid—vulnerabilities before products ship. We plan to achieve this goal by placing knowledge, techniques, and tools in the hands of engineers to help them understand how vulnerabilities are created and discovered so that they can learn to avoid them.

Our first project in this area was to develop Dranzer, a tool that can discover certain classes of vulnerabilities in Microsoft Windows ActiveX controls. Several prominent information technology vendors are already using Dranzer to help discover vulnerabilities in the ActiveX controls they produce before the products are shipped. We are applying and expanding what we learned from developing that tool to develop tools and techniques that address other technologies.

Our latest vulnerability discovery project is the CERT Basic Fuzzing Framework (BFF). The BFF is a combination of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. The CERT Vulnerability Analysis Blog has more details about the BFF. Download the BFF to begin fuzzing on your own.