Posted on by Vulnerability Discoveryin
Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). It's been about three years since we released BFF 2.7. In this post, I highlight some of the changes we've made.
To help reduce confusion over our fuzzing tools, the CERT Failure Observation Engine (FOE) is now known as BFF for Windows. For the past few versions, we have been converging the code bases for BFF and FOE into a unified architecture. While a few platform-specific differences remain, the name change reflects the fact that they are now essentially the same product with multi-platform support.
For clarity in this post, I'll refer to BFF for <platform> if we're talking about something platform-specific; otherwise I'll refer to BFF for features that are supported across platforms.
BFF 2.8 has undergone a lot of changes since 2.7 was last released. Here is an overview of some of the bigger changes.
BFF for Linux and OSX now use the same configurable mutators as BFF for Windows. Prior to this release, BFF supported only bitwise mutation because it relied on zzuf for fuzzing and crash detection. FOE, on the other hand, had configurable mutators from day one, but was only available for Windows. With BFF 2.8, all platforms now default to using the bytemut mutator, which we have found to be more effective at searching the input space for crashing test cases.
BFF still uses zzuf on Linux and OSX for crash detection, but all mutation is now done directly in BFF's python code.
Having configurable mutators permits us to have a null mutator that does not modify the input files at all. As a result, Linux and OSX now support verify mode, another feature previously available only on FOE on Windows.
Verify mode can be useful in a few situations, including the following:
To use BFF in verify mode, do the following:
Drillresults was originally included with FOE 2.0 for Windows as a standalone script that you could run to identify easily exploitable vulnerabilities from a fuzzing campaign's results after the fact. Later we added it to BFF for Linux and OSX, but it remained as a standalone script.
In BFF 2.8, drillresults is now run automatically on each crash as part of BFF's post-crash analysis pipeline. Each crashing testcase directory now contains a file with the .drillresults extension containing that information.
Under the hood, we've done quite a bit of refactoring to eliminate redundancies across the Linux and Windows codebases. The overall BFF architecture is now platform agnostic, with OS-specific code implemented in separate modules and subclasses where necessary. This consolidation allows us to more easily add new features across all the platforms that BFF supports without having to duplicate any more code than necessary.
BFF for OSX should work on Mavericks, Yosemite, El Capitan, and Sierra.
BFF for Windows now uses Microsoft's !exploitable version 1.6.
The BFF configuration file, bff.yaml, was simplified to make configuring fuzzing campaigns easier.
BFF includes a utility called updatebff.py in the tools directory. Simply run tools/updatebff.py (or on Windows, tools\updatebff.py) to install the latest certfuzz code from GitHub.
In early 2014 we converted our development process from svn to git, which also allows us to start pushing the work-in-progress code to GitHub. While our day-to-day development still happens in house, having the code available on GitHub allows us to work more directly with, and be more responsive to, outside contributors. It also gives BFF users a place to report bugs or make feature requests.
BFF 2.8 is available for download on our website.