The Vulnerability Discovery Team in the SEI’s CERT Program has released two new software testing tools—the CERT Failure Observation Engine and the CERT Linux Triage Tools—as well as an update to its CERT Basic Fuzzing Framework tool. The tools are designed to provide software engineers more options to identify vulnerabilities across the three dominant operating systems: Microsoft Windows, Mac OS X, and Linux. The tools are available from the CERT website free of charge and are subject to the Carnegie Mellon University licensing agreement.
“Our purpose for developing these tools is to help drive change in the software engineering process,” said Vulnerability Discovery Team member Will Dormann. “In particular, we want to help software engineers think about security earlier in the software development life cycle. We want to help them detect, eliminate, and avoid vulnerabilities before products ship.” Dormann added that, by using these tools, software engineers can learn more about how vulnerabilities are created and discovered, which will help them avoid introducing vulnerabilities in future work.
Among the new CERT tools is the CERT Failure Observation Engine (FOE). The FOE extends the capability of the CERT Basic Fuzzing Framework (BFF), a Linux-based file fuzzer first introduced in May 2010, to the Microsoft Windows platform. “We released BFF to increase awareness and adoption of automated, negative software testing,” said Vulnerability Discovery Team member David Warren. “Soon after, however, we began receiving numerous requests to create a Windows analog to the BFF. This is what we’ve done with the FOE.” Warren noted that the FOE is not only effective at identifying vulnerabilities, but features an ease of use not common among other Windows fuzzers.
Also new is the CERT Linux Triage Tools suite. The Vulnerability Discovery Team designed the CERT Linux Triage Tools to help software vendors and analysts identify the impact of defects discovered through techniques such as fuzz testing and prioritize their remediation in the software development process. The package comprises a triage script and a GNU Debugger (GDB) extension named 'exploitable' that classify Linux application defects by severity.
“In 2009, Microsoft released a security extension for the Windows debugger named ‘!exploitable,’” noted Vulnerability Discovery Team member Jonathan Foote. “‘!exploitable’ provides automated crash analysis and security risk assessment for software that runs on the Windows platform. Then Apple released a tool called ‘CrashWrangler’ to do more or less the same thing on crash logs for software running on the Mac OS X platform. In the course of our work, we noted the lack of such a tool for software that runs on the Linux platform. So, we developed the CERT Linux Triage Tools.”
Complementing the two newly released tools, the CERT Vulnerability Discovery Team also released version 2.5 of its Basic Fuzzing Framework (BFF). The BFF is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms. It performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the process of corrupting well-formed input data in various ways to look for cases that cause crashes.) The BFF automatically collects test cases in which software programs crash in unique ways, as well as debugging information associated with the crashes. The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
“The BFF was originally developed for Linux,” explained Vulnerability Discovery Team member Allen Householder. “BFF 2.5 expands support to Mac OS X. It also includes one of our most-requested features, which is the ability to fuzz multiple seed files. BFF now uses a machine learning technique to observe results and adjust its focus to the seed files that produce the most unique crashes.”
The CERT Vulnerability Discovery Team strives to help engineers understand how vulnerabilities are created and found. Team members hope that, with this knowledge, engineers will learn how to mitigate vulnerabilities in software products before the products are shipped. The team’s ongoing effort to develop tools that support the work of software engineers demonstrates its commitment to these goals.
For more information about the CERT Vulnerability Discovery Team, its work, and its software analysis tools, visit http://www.cert.org/vuls/discovery/.
If you are a member of the media or analyst community and would like to schedule an interview with an SEI expert, please contact:
SEI Public Relations
Media Line: 412-268-4793
For other useful information sources, please visit the Contact Us page.