search menu icon-carat-right cmu-wordmark

Posts by Allen Householder

The CERT Guide to Coordinated Vulnerability Disclosure

The CERT Guide to Coordinated Vulnerability Disclosure

• Blog
Allen Householder

We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so....

Read More
Vulnerability IDs, Fast and Slow

Vulnerability IDs, Fast and Slow

• Blog
Allen Householder

The CERT/CC Vulnerability Analysis team has been engaged in a number of community-based efforts surrounding Coordinated Vulnerability Disclosure lately. I've written previously about our involvement in the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities. Today I'll highlight our ongoing work in the Forum for Incident Response and Security Teams (FIRST). We are currently active in two vulnerability-related working groups within the FIRST organization: the Vulnerability Coordination SIG (recently merged with the NTIA Multiparty Disclosure working group),...

Read More
E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

• Blog
Allen Householder

On September 29, Art Manion and I attended the first meeting of the Multistakeholder Process for Cybersecurity Vulnerabilities initiated by the National Telecommunications and Information Administration (NTIA), part of the United States Department of Commerce. There has been ample coverage of the meeting in blogs (e.g., by Dr. Neal Krawetz and by Cris Thomas), mailing lists, and media reports, so I won't attempt to duplicate that information. During the course of the meeting, I became...

Read More
Comments on BIS Wassenaar Proposed Rule

Comments on BIS Wassenaar Proposed Rule

• Blog
Allen Householder

Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here....

Read More
Like Nailing Jelly to the Wall: Difficulties in Defining

Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"

• Blog
Allen Householder

During the Watergate hearings, Senator Howard Baker asked John Dean a now-famous question: "My primary thesis is still: What did the president know, and when did he know it?" If you understand why that question was important, you have some sense as to why I am very concerned that "zero-day exploit capability" appears as an operative phrase in the Department of Commerce Bureau of Industry and Security (BIS) proposed rules to implement the Wassenaar Arrangement...

Read More
 What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

• Blog
Allen Householder

Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between ENS and traditional computing in the context of vulnerability discovery, analysis, and disclosure....

Read More
Vulnerability Coordination and Concurrency Modeling

Vulnerability Coordination and Concurrency Modeling

• Blog
Allen Householder

Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can succeed or fail. In both my vulnerability discovery and cybersecurity information sharing work, I've found that I often learn the most by examining the failures -- in part because the successes are often just cases...

Read More
Vulnerability Discovery for Emerging Networked Systems

Vulnerability Discovery for Emerging Networked Systems

• Blog
Allen Householder

Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post I cover the background and motivation for this work, our approach, and some preliminary findings. In future posts I will cover additional results from this effort....

Read More
Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

• Blog
Allen Householder

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the crash recycling feature. In this post, I will take a closer look at this feature and explain why I think it's so interesting....

Read More
A Look Inside CERT Fuzzing Tools

A Look Inside CERT Fuzzing Tools

• Blog
Allen Householder

Hi, this is Allen Householder of the CERT Vulnerability Analysis team. If you've been following this blog for a while, you are probably familiar with our fuzzing tools: Dranzer, the CERT Basic Fuzzing Framework (BFF), and the CERT Failure Observation Engine (FOE). While creating tools that can find and analyze vulnerabilities makes up a significant portion of our work in the CERT Vulnerability Analysis team, our focus is on developing and communicating the knowledge we've...

Read More
Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1)

• Blog
Allen Householder

Hi everybody. Allen Householder from the CERT Vulnerability Analysis team here, back with another installment of "What's new in CERT's fuzzing frameworks?" Today we're announcing the release of updates of both our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.6 and the CERT Failure Observation Engine (FOE) version 2.0.1. The remainder of this post describes the changes in more detail....

Read More
CERT Failure Observation Engine 2.0 Released

CERT Failure Observation Engine 2.0 Released

• Blog
Allen Householder

Hi folks, Allen Householder from the CERT Vulnerability Analysis team here. Back in April, we released version 1.0 of the CERT Failure Observation Engine (FOE), our fuzzing framework for Windows. Today we're announcing the release of FOE version 2.0. (Here's the download.) Although it has only been a few months since we announced FOE 1.0, our development cycle is such that FOE 2.0 actually reflects nearly a year of additional improvements over the 1.0 release....

Read More
CERT Basic Fuzzing Framework 2.5 Released

CERT Basic Fuzzing Framework 2.5 Released

• Blog
Allen Householder

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes....

Read More
CERT Failure Observation Engine 1.0 Released

CERT Failure Observation Engine 1.0 Released

• Blog
Allen Householder

In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in...

Read More
Announcing the CERT Basic Fuzzing Framework 2.0

Announcing the CERT Basic Fuzzing Framework 2.0

• Blog
Allen Householder

Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail in future posts, but we wanted to let you know that it's available so that you can download and try it....

Read More

Contact the Author

Allen Householder

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by Allen Householder

View publications