Will Dormann
Software Engineering Institute
Will Dormann is an SEI alumni employee.
Will Dormann has been a software vulnerability analyst with Carnegie Mellon Software Engineering Institute's CERT Coordination Center (CERT/CC) since 2004. His focus area includes web browser technologies, ActiveX, and fuzzing. Will has discovered thousands of vulnerabilities through the use of fuzzing tools and other techniques.
Publications by Will Dormann
-
Attacking COM via Word RTF
March 30, 2021 • Presentation
Will Dormann
Learn how Microsoft Word 2019 on Windows 10 is not too different from the IE6 ActiveX attack surface.
read -
Death by Thumb Drive
July 16, 2019 • Presentation
Will Dormann
In this talk, Will Dormann discusses how to use CERT BFF to fuzz filesystems, and how to analyze kernel-level crashes.
read -
Keep it Like a Secret: When Android Apps Contain Private Keys
April 17, 2018 • Presentation
Will Dormann
This presentation was given by Will Doorman, member of the CERT Technical staff, at the 2018 BSidesSF Conference on April 15 and April 16, 2018 at the City View at Metreon.
read -
CERT BFF: From Start to PoC
June 09, 2016 • Presentation
Will Dormann
This presentation describes the CERT Basic Fuzzing Framework (BFF) from start to PoC.
read -
Web Traffic Analysis with CERT Tapioca
November 30, 2015 • Webinar
Will Dormann
Will Dormann discusses a tool that shows whether a connection to the web is secure and what information is being transmitted.
watch -
How We Discovered Thousands of Vulnerable Android Apps in 1 Day
August 18, 2015 • Presentation
Joji MontelibanoWill Dormann
In this presentation, we will describe our methodology in discovering these vulnerabilities, and recommend mitigation strategies for both developers and users.
read -
Heartbleed: Analysis, Thoughts, and Actions
May 13, 2014 • Webinar
Will DormannRobert FloodeenBrent Kennedy
Panelists discussed the impact of Heartbleed, methods to mitigate the vulnerability, and ways to prevent crises like this in the future.
watch -
Source Code Analysis Laboratory (SCALe)
April 01, 2012 • Technical Note
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the CERT Program's Source Code Analysis Laboratory (SCALe), a conformance test against secure coding standards.
read -
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
December 01, 2010 • Technical Report
Robert C. SeacordWill DormannJames McCurley
In this report, the authors describe the Source Code Analysis Laboratory (SCALe), which tests software for conformance to CERT secure coding standards.
read -
As-If Infinitely Ranged Integer Model
November 01, 2010 • Presentation
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Thomas Plum (Plum Hall, Inc.)Will Dormann
This ISSRE 2010 paper describes the AIR Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping.
read -
The Power of Fuzz Testing to Reduce Security Vulnerabilities
May 25, 2010 • Podcast
Will DormannJulia H. Allen
In this podcast, Will Dormann urges listeners to subject their software to fuzz testing to help identify and eliminate security vulnerabilities.
learn more -
As-If Infinitely Ranged Integer Model, Second Edition
April 01, 2010 • Technical Note
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this report, the authors present the as-if infinitely ranged (AIR) integer model, a mechanism for eliminating integral exceptional conditions.
read -
Instrumented Fuzz Testing Using AIR Integers (Whitepaper)
February 01, 2010 • White Paper
Roger Dannenberg (School of Computer Science, Carnegie Mellon University)Will DormannDavid Keaton
In this paper, the authors present the as-if infinitely ranged (AIR) integer model, which provides a mechanism for eliminating integral exceptional conditions.
read -
Instrumented Fuzz Testing Using AIR Integers (Presentation)
February 01, 2010 • Presentation
Will DormannRobert C. Seacord
In this February 2010 presentation, Will Dormann and Robert Seacord describe how to conduct instrumented fuzz testing using as-if infinitely ranged integers.
read -
Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing
January 01, 2008 • White Paper
Will DormannDaniel Plakosh
In this 2008 paper, the authors explore results of a test of a large number of Active X controls, which provides insight into the current state of ActiveX security.
read