The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. |
At the CERT/CC, we have used the FOE infrastructure to find a number of critical vulnerabilities in products such as Adobe Reader, Flash Player, and Shockwave player; Microsoft Office and Windows; Google Chrome; Oracle Outside In; Autonomy Keyview IDOL; Apple QuickTime; and many others. See Public Vulnerabilities Discovered Using Tapioca.
Source code for BFF and FOE can be found at at https://github.com/CERTCC-Vulnerability-Analysis/certfuzz.
Issues can be reported at https://github.com/CERTCC-Vulnerability-Analysis/certfuzz/issues.
Download FOE |
This software package contains both the source code for the distribution and a binary installer package for Windows. The installer package will attempt to install FOE and its dependent software packages on the system. |
If you wish to evaluate the binary installer, it is highly advisable to do so on a non-enterprise system devoted solely to testing. |
An ISO image is also available for convenient use within a Windows virtual machine instance. |
Other Links