Thursday, June 10, 2010

CERT Basic Fuzzing Framework

The Basic Fuzzing Framework (BFF) consists of two main parts:
a Linux virtual machine that has been optimized for fuzzing
a set of scripts and a configuration file that orchestrate the fuzzing run

The virtual machine is a stripped-down Debian installation with the following modifications:
The Fluxbox window manager is used instead of the heavy Gnome or KDE desktop environments.
Fluxbox is configured to not raise or focus new windows. This can help in situations where you may need to interact with the guest OS while a GUI application is being fuzzed.
Memory randomization is disabled.
VMware Tools is installed, which allows the guest OS to share a directory with the host.
The OS is configured to automatically log in and start X.
sudo is configured to not prompt for a password.
strip is symlinked to /bin/true, which prevents symbols from being removed when an application is built.

The fuzzer used by the BFF is Sam Hocevar's excellent zzuf application. zzuf was chosen for its deterministic behavior, number of features, and lightweight size. By invoking zzuf from a script (, we are able to automate additional aspects of a fuzzing run:

More info and Download:

No comments: