The Basic Fuzzing Framework (BFF), available here, is described as a simplified version of automated dumb fuzzing and includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test.
Fuzz testers, or fuzzers, are used by security researchers to find vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.
The technique is popular among hackers in the security research community but with the release of this framework, CERT can push businesses to subject all software — whether built or bought — fuzz testing.
This is the second public release of a fuzz testing tool by CERT. Last year, the group released a tool called Dranzer that lets software developers test ActiveX controls for vulnerabilities before the software is released to the public. Dranzer is available as an open-source utility.
CERT’s Will Dorman said he used Dranzer to discover “thousands of vulnerabilities” in ActiveX controls, leading to Microsoft making improvements to Internet Explorer to help minimize the impact of ActiveX vulnerabilities.
A full explanation of the Basic Fuzzer Framework is available on the CERT blog.