Latest Posts

More Posts

Anatomy and Taxonomy of a Fuzzer

Fuzzing is an increasingly popular method for software and hardware quality assurance. A fuzzer is a program or framework that generates pseudo-random inputs, evaluates them, and measures the success or failure of the evaluations. This may be a greatly oversimplified explanation, but it bears the familiar look and feel of test vector sets and unit test frameworks used by engineers since the advent of computers.


CITL Static Analysis Release

Today CITL is open sourcing our static analysis tooling. Doing so we hope to share our methods for analyzing binary hardening with a wider audience. Our static analysis tooling ingests binary files (PE/ELF/MachO), of multiple architectures (ELF supports: x86, x86-64, arm, arm/thumb, aarch64, mips, ppc) and reports on the hardening of the binary. It supports a range of different hardening techniques via its plugable analyzer model.


CITL Fuzzer Early Data

CITL’s primary research goal has been focused around if we could formalize a technique security practitioners use for identifying potentially vulnerable code. We wanted to know if we could automatically detect patterns that are used for prioritization in a standard security audit? We started with simple questions based on common indicators. For example: “Does using strcpy() more often mean that software will crash more?”.


Recent Press

Slowly but surely, browsers are becoming more secure

The CITL, which thinks of itself as Consumer Reports for software (and has actually partnered with Consumer Reports to broaden its reach), is one of a few independent initiatives that analyzes code and publicly reports on its findings. Its report acknowledges that browsers are challenging to secure because of their inherent complexity. Major browsers contain millions of lines of code to which hundreds of developers contribute.    

–The Parallax

Rating software security Consumer Reports-style

The poor security of much enterprise software can be dramatically improved at low cost with the compile-time equivalents of seatbelts and airbags. With that in mind, the Cyber Independent Testing Lab (CITL) is building a Consumer Reports-style rating systems to grade the security of thousands of software binaries.    


No wonder cybersecurity is so bad - There's no way to measure it

When the founders of a new nonprofit assessing the cybersecurity of software for consumers were trying to develop a scoring system that would rate programs depending on which security features they used, they encountered a “mind-blowing” problem. No one had ever measured how well such features actually worked.    



Our Latest


19 Jan 2018 / Washington D.C.