CERT
search  



 
Historical Documents CERT Coordination Center CERT/CC Blog Dranzer Vulnerability Notes Database Vulnerability Disclosure Policy Link to US-CERT
 

Vulnerability Discovery

During the process of producing software products, engineers unintentionally create vulnerabilities that are later discovered and mitigated. We hope that by paying greater attention to the early phases of the development lifecycle, we can change the nature of the engineering process to detect and eliminate—and later avoid—vulnerabilities before products ship. We plan to achieve this goal by placing knowledge, techniques, and tools in the hands of engineers to help them understand how vulnerabilities are created and discovered so that they can learn to avoid them.

We have developed several projects in this area:

  • Dranzer, is a tool that can discover certain classes of vulnerabilities in Microsoft Windows ActiveX controls. Several prominent information technology vendors are already using Dranzer to help discover vulnerabilities in the ActiveX controls they produce before the products are shipped. We are applying and expanding what we learned from developing that tool to develop tools and techniques that address other technologies.
  • The Basic Fuzzing Framework (BFF) is a mutational file fuzz testing tool that consists of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. A version of the BFF that runs natively on Mac OS X is also available. Visit the BFF homepage to learn more and download a copy to begin fuzzing on your own.
  • The Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.
  • The CERT Triage Tools consist of a triage script and a GNU Debugger (GDB) extension named 'exploitable' that classify Linux application defects by severity. We have developed the CERT Triage Tools in order to assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing.

Last updated April 18, 2012