Announcing the CERT Basic Fuzzing Framework 2.0
Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail in future posts, but we wanted to let you know that it's available so that you can download and try it.
Since we released BFF 1.1 in September last year, we've made a number of improvements to our Linux-based fuzzing environment. We are releasing the updates as BFF 2.0. Our main goal is to make it simpler for the creators of software to get started fuzzing. Along the way, we're trying to discover and refine techniques to increase the efficiency of finding vulnerabilities through fuzzing.
Here's a summary of what we've done:
- BFF has been completely rewritten in Python. After refactoring BFF 1.0 into BFF 1.1 (both written in Perl) to improve performance, we observed that modularizing the component parts of BFF would make it easier to add new features. We were also seeing more and more Python appear in the security community, so we decided to port the BFF code from Perl to Python and break it into modules. The algorithmic improvements made to BFF 1.1 remain in BFF 2.0.
- We added a 'rangefinder' feature to eliminate the need for the user to figure out how much of the input file to fuzz. The rangefinder built in to BFF will automatically adjust the degree of input fuzzing to find more crashes by focusing on the ranges that are most fruitful.
- We totally rewrote the crash minimization code to leverage some combinatorics and probability analysis we have done since BFF 1.1 was released. The new version is both efficient and relentless in its attempts to minimize crashing test cases to only the bits absolutely necessary to differentiate the crashing test case from the known good seed file.
- Logging in BFF uses the Python logging module for all of its logging needs.
- We have also incorporated a few statistics and visualization tools to help with analyzing BFF logs. These are in the analyzers directory in the scripts.zip file.
We'll be posting more about these and possibly other features of BFF 2.0 in the future, but we wanted to share the news so you can start your own fuzzing campaigns. To get started, simply follow these steps:
- Download BFF 2.0 from http://www.cert.org/download/bff
DebianFuzz.zipto a directory of your choice
- Create a snapshot in VMware
- Power on the VM
You may need to verify that the shared folder (
c:\fuzz -> /mnt/hgfs/fuzz) is enabled in the VM preferences. Other virtualization products may work with some additional configuration. See the README file in
scripts.zip for more details.
Note: For those of you who received a copy of BFF 2.0 at our vendor meeting last week, we've made a few bug fixes to the code in
scripts.zip, so you might want to download a fresh copy.