SEI Insights


Vulnerability Insights

Announcing CERT Basic Fuzzing Framework Version 2.8

Posted on by in

Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). It's been about three years since we released BFF 2.7. In this post, I highlight some of the changes we've made.

Your FOE Is Now Your BFF

To help reduce confusion over our fuzzing tools, the CERT Failure Observation Engine (FOE) is now known as BFF for Windows. For the past few versions, we have been converging the code bases for BFF and FOE into a unified architecture. While a few platform-specific differences remain, the name change reflects the fact that they are now essentially the same product with multi-platform support.

For clarity in this post, I'll refer to BFF for <platform> if we're talking about something platform-specific; otherwise I'll refer to BFF for features that are supported across platforms.

Significant Changes

BFF 2.8 has undergone a lot of changes since 2.7 was last released. Here is an overview of some of the bigger changes.

Configurable Mutators (New to Linux and OSX)

BFF for Linux and OSX now use the same configurable mutators as BFF for Windows. Prior to this release, BFF supported only bitwise mutation because it relied on zzuf for fuzzing and crash detection. FOE, on the other hand, had configurable mutators from day one, but was only available for Windows. With BFF 2.8, all platforms now default to using the bytemut mutator, which we have found to be more effective at searching the input space for crashing test cases.

BFF still uses zzuf on Linux and OSX for crash detection, but all mutation is now done directly in BFF's python code.

Verify Mode (New to Linux and OSX)

Having configurable mutators permits us to have a null mutator that does not modify the input files at all. As a result, Linux and OSX now support verify mode, another feature previously available only on FOE on Windows.

Verify mode can be useful in a few situations, including the following:

  1. Say you've previously run BFF against a piece of software and found crashing test cases. At some point, if a newer version of the software becomes available, you might want to check to see which of the test cases are now fixed.
  2. If you've got crashing test cases from another fuzzer, like American Fuzzy Lop (afl) or Peach Fuzzer, you could triage them using verify mode to run each test case through BFF's test case analysis pipeline to collect debugger output, exploitability estimates, core dumps, valgrind output, etc.

To use BFF in verify mode, do the following:

  • Take the old crashing test cases and use them as seed files. This approach can be accomplished using tools/
  • Run them through BFF in verify mode. Remember to configure the campaign to use the new version of the program you want to check them against.
  • Look at the results directory to see which test cases are still a problem.

Drillresults on Every New Crash (All Platforms)

Drillresults was originally included with FOE 2.0 for Windows as a standalone script that you could run to identify easily exploitable vulnerabilities from a fuzzing campaign's results after the fact. Later we added it to BFF for Linux and OSX, but it remained as a standalone script.

In BFF 2.8, drillresults is now run automatically on each crash as part of BFF's post-crash analysis pipeline. Each crashing testcase directory now contains a file with the .drillresults extension containing that information.

Architecture (All Platforms)

Under the hood, we've done quite a bit of refactoring to eliminate redundancies across the Linux and Windows codebases. The overall BFF architecture is now platform agnostic, with OS-specific code implemented in separate modules and subclasses where necessary. This consolidation allows us to more easily add new features across all the platforms that BFF supports without having to duplicate any more code than necessary.

Support for Recent OSX Versions

BFF for OSX should work on Mavericks, Yosemite, El Capitan, and Sierra.

Added !analyze Output (Windows)

BFF for Windows collects !analyze -v output (via CDB) for each unique crashing test case. Microsoft published more information about !analyze in their debugger reference materials.

Updated !exploitable (Windows)

BFF for Windows now uses Microsoft's !exploitable version 1.6.

Simplified Configuration (All Platforms)

The BFF configuration file, bff.yaml, was simplified to make configuring fuzzing campaigns easier.

Self-Update Capability (All Platforms)

BFF includes a utility called in the tools directory. Simply run tools/ (or on Windows, tools\ to install the latest certfuzz code from GitHub.

Contributing and GitHub Availability

In early 2014 we converted our development process from svn to git, which also allows us to start pushing the work-in-progress code to GitHub. While our day-to-day development still happens in house, having the code available on GitHub allows us to work more directly with, and be more responsive to, outside contributors. It also gives BFF users a place to report bugs or make feature requests.

You can find the code on GitHub. You can also report a bug or request a feature on GitHub.

Download BFF

BFF 2.8 is available for download on our website.

For More Information

Complete release notes for BFF 2.8 are available. Finally, we have been maintaining some BFF-related content on our Vulnerability Analysis Wiki:

About the Author

Allen Householder

Contact Allen Householder
Visit the SEI Digital Library for other publications by Allen
View other blog posts by Allen Householder