Vulnerabilities are too pervasive in software-based systems to find them all manually. CERT researchers develop automated tools that discover and mitigate software vulnerabilities and transfer them to security researchers, procurement specialists, and software vendors.
There are many places in the software lifecycle where software vulnerabilities can be discovered and mitigated. We develop new automated tools and techniques and put them in the hands of security researchers, procurement specialists, and software vendors to help them improve and evaluate the security of the software ecosystem used by the U.S. Department of Defense (DoD) and the U.S. government (USG).
These tools and techniques are intended to be used by vendors during software development. Still, vulnerabilities exist in delivered software. In a project called "Automating Vulnerability Discovery," we focused on the ability to automatically discover vulnerabilities after software is developed and shipped, without assistance from the software vendor. This approach makes the problem more challenging because we must analyze programs at the binary level. But this requirement is critical in practice because many vendors are reluctant to share access to their products’ source code, which they regard as sensitive and proprietary.
Vulnerabilities are pervasive in software-based systems and protocols, both in traditional IT networks and in those that support critical U.S. infrastructure. Software is written and updated frequently, and there are not enough human analysts to keep pace with the speed of production. Automation is the only way to keep up.
Led by Dr. Edward Schwarz, the Vulnerability Discovery project aims to reduce vulnerabilities in critical DoD and USG systems by improving techniques for automated vulnerability discovery. If vendors adopt our techniques in their software development processes, the DoD will acquire software applications that are hardened—and more secure—before and after they are deployed into the DoD infrastructure.
CERT researchers are working with the startup company ForAllSecure on a new technique for automating vulnerability discovery. We are also using research from the Carnegie Mellon University CyLab.
Our approach to vulnerability discovery builds on an extensive body of work at Carnegie Mellon University and the SEI's CERT Division. This work includes the following techniques:
ForAllSecure is a start-up company on a mission to make software safer. The ForAllSecure team builds software security tools for developers, enterprises, and end users that automatically find vulnerabilities in software at the binary level, using research transitioned from the Carnegie Mellon University CyLab.
ForAllSecure is one of the world’s leading experts on binary concolic execution and is widely known for its Mayhem concolic executor, which recently won DARPA’s Cyber Grand Challenge competition. Concolic execution is a powerful form of symbolic program analysis that describes program executions as logical formulas and solves them to trigger and test new fragments of program code. Concolic execution is known for its ability to trigger code that is difficult to reach, allowing it to find vulnerabilities that other techniques such as fuzzing might miss. This power comes with a price, however, as concolic execution tends to be slow and has not scaled to large programs.
By joining our expertise in fuzzing with ForAllSecure’s expertise in concolic execution, we have been collaborating on a new technique that brings the best of both fuzzing and concolic execution. Fuzzing brings scalability, speed, and the ability to discover vulnerabilities in large, complex programs. Concolic execution allows analysts to omit seed files, making the process of vulnerability discovery easier than ever. It also allows software analysts to test and detect vulnerabilities in code that is difficult for a fuzzer to reach.
BigGrep is a tool used to index and search a large corpus of binary files and uses a probabilistic N-gram based approach to balance index size and search speed.
Learn MoreCERT Tapioca is a network-layer MITM proxy utility that checks for apps that fail to validate certificates and investigates content of network traffic, including HTTP and HTTPS.
Learn MoreCERT BFF is a software-testing tool that finds defects in applications that run on Microsoft Windows, Linux, Mac OS X, and other unix-like platforms.
Learn Morebgpuma is a tool that looks through BGP update files quickly to find direct matches for CIDR blocks and CIDR blocks that contain the initial set and are contained by the initial set.
Learn MoreDranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls.
Learn MoreCERT Triage Tools consist of a triage script and a GNU Debugger (GDB) extension named 'exploitable' that classify Linux application defects by severity.
Learn MoreFailure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.
Learn MoreCERT IPA is an IP address annotation system that provides a repository of IP address information and related tools for accessing the data.
Learn MoreIn this paper, the authors describe lessons learned from coordinating AI and ML vulnerabilities at the SEI's CERT/CC.
ReadModern AI systems pose consequential, poorly understood risks. This blog post explores strategies for framing test and evaluation practices based on a holistic approach to AI risk.
READIn the rush to develop AI, it is easy to overlook factors that increase risk. This post explores AI risk through the lens of confidentiality, governance, and integrity.
READThis post explores concepts of security and safety for neural-network-based AI, including ML and generative AI, as well as AI-specific challenges in developing safe and secure systems.
READDavid Svoboda discusses two vulnerabilities related to Rust, their sources, and how to mitigate them.
ListenThis report describes 11 common vulnerabilities and 3 risks related to application programming interfaces, providing suggestions about how to fix or reduce their impact.
ReadThe SEI has developed a new AI Robustness (AIR) tool that allows users to gauge AI and ML classifier performance with unprecedented confidence.
Learn MoreIn recent weeks several vulnerabilities have rocked the Rust community causing many to question its safety. This post examines two such vulnerabilities.
READ