During the process of producing software products, engineers
unintentionally create vulnerabilities that are later discovered and
mitigated. We hope that by paying greater attention to the early
phases of the development lifecycle, we can change the nature of the
engineering process to detect and eliminateand later
avoidvulnerabilities before products ship. We plan to achieve
this goal by placing knowledge, techniques, and tools in the hands of
engineers to help them understand how vulnerabilities are created and
discovered so that they can learn to avoid them.
Our first project in this area was to develop Dranzer, a tool that
can discover certain classes of vulnerabilities in Microsoft Windows
ActiveX controls. Several prominent information technology vendors are
already using Dranzer to help discover vulnerabilities in the ActiveX
controls they produce before the products are shipped. We are
applying and expanding what we learned from developing that tool to
develop tools and techniques that address other technologies.
Our latest vulnerability discovery project is the CERT Basic Fuzzing Framework (BFF). The BFF is a combination of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. The CERT Vulnerability Analysis Blog has more details about the BFF. Download the BFF to begin fuzzing on your own.