During the process of producing software products, engineers
unintentionally create vulnerabilities that are later discovered and
mitigated. We hope that by paying greater attention to the early
phases of the development lifecycle, we can change the nature of the
engineering process to detect and eliminateand later
avoidvulnerabilities before products ship. We plan to achieve
this goal by placing knowledge, techniques, and tools in the hands of
engineers to help them understand how vulnerabilities are created and
discovered so that they can learn to avoid them.
We have developed several projects in this area:
- Dranzer, is a tool that can discover
certain classes of vulnerabilities in Microsoft Windows ActiveX
controls. Several prominent information technology vendors are already
using Dranzer to help discover vulnerabilities in the ActiveX controls
they produce before the products are shipped. We are applying
and expanding what we learned from developing that tool to develop
tools and techniques that address other technologies.
- The Basic Fuzzing Framework (BFF) is a
mutational file fuzz testing tool that consists of a Debian Linux
virtual machine, the zzuf fuzzer, and a few associated scripts.
A version of the BFF that runs natively on Mac OS X is also available.
Visit the BFF homepage to learn more and
download a copy to begin fuzzing on your own.
- The Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in
applications that run on the Windows platform.
- The CERT Triage Tools consist of a
triage script and a GNU Debugger (GDB) extension named 'exploitable'
that classify Linux application defects by severity. We have developed
the CERT Triage Tools in order to assist software vendors and analysts
in identifying the impact of defects discovered through techniques
such as fuzz testing.
Our vulnerability analysis is incorporated into some of US-CERT's documents: