- This line was added.
- This line was removed.
- Formatting was changed.
The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input.
At the CERT/CC, we have used the FOE infrastructure to find a number of critical vulnerabilities in products such as Adobe Reader, Flash Player, and Shockwave player; Microsoft Office and Windows; Google Chrome; Oracle Outside In; Autonomy Keyview IDOL; Apple QuickTime; and many others. See Public Vulnerabilities Discovered Using CERT ToolsTapioca.
Source code for BFF and FOE can be found at at https://github.com/CERTCC-Vulnerability-Analysis/certfuzz.
Issues can be reported at https://github.com/CERTCC-Vulnerability-Analysis/certfuzz/issues.
More information about FOE
This software package contains both the source code for the distribution and a binary installer package for Windows. The installer package will attempt to install FOE and its dependent software packages on the system.
|If you wish to evaluate the binary installer, it is highly advisable to do so on a non-enterprise system devoted solely to testing.|
An ISO image is also available for convenient use within a Windows virtual machine instance.
- CERT Basic Fuzzing Framework BFF - GitHub
- Failure Observation Engine (FOE) tutorial - YouTube
- [PDF] Fuzz Testing for Dummies - fuzzing.info
- Let's Fuzz: IrfanView | SingleHop
- New CERT Tools Help Developers Find Vulnerabilities | SecurityWeek.Com
- A Basic Distributed Fuzzing Framework for FOE - Adobe Blogs