New CERT Tools Help Developers Find Vulnerabilities

The Vulnerability Discovery Team at Carnegie Mellon University’s Software Engineering Institute CERT Program has released two new software testing tools designed to help developers find vulnerabilities across major operating systems including Microsoft Windows, Mac OS X, and Linux.

The new tools, all available for free, include CERT Failure Observation Engine and the CERT Linux Triage Tools, as well enhancements to its CERT Basic Fuzzing Framework tool.

“Our purpose for developing these tools is to help drive change in the software engineering process,” explained Will Dormann, a member of the Vulnerability Discovery Team. “In particular, we want to help software engineers think about security earlier in the software development life cycle. We want to help them detect, eliminate, and avoid vulnerabilities before products ship.”

The following is an overview of each tool:

CERT Failure Observation Engine (FOE) – The FOE extends the capability of the CERT Basic Fuzzing Framework (BFF), a Linux-based file fuzzer originally introduced in May 2010 for Windows.

CERT Linux Triage Tools suite – The Vulnerability Discovery Team designed the CERT Linux Triage Tools to help software vendors and analysts identify the impact of defects discovered through techniques such as fuzz testing and prioritize their remediation in the software development process. The package comprises a triage script and a GNU Debugger (GDB) extension named ‘exploitable’ that classify Linux application defects by severity.

“In 2009, Microsoft released a security extension for the Windows debugger named ‘!exploitable,’” noted Vulnerability Discovery Team member Jonathan Foote. “‘!exploitable’ provides automated crash analysis and security risk assessment for software that runs on the Windows platform. Then Apple released a tool called ‘CrashWrangler’ to do more or less the same thing on crash logs for software running on the Mac OS X platform. In the course of our work, we noted the lack of such a tool for software that runs on the Linux platform. So, we developed the CERT Linux Triage Tools.”

Basic Fuzzing Framework (BFF) – Now in version 2.5, the BFF is a software testing tool that finds defects in applications that run on the Linux and now, Mac OS X platforms. It performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the process of corrupting well-formed input data in various ways to look for cases that cause crashes.)

“The BFF automatically collects test cases in which software programs crash in unique ways, as well as debugging information associated with the crashes,” the research team explained. “The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.”

The CERT Vulnerability Discovery Team strives to help engineers understand how vulnerabilities are created and found, with the goal that engineers will learn how to mitigate vulnerabilities in software products before the products are shipped.

More information about the CERT Vulnerability Discovery Team and the software tools can be found here.