Software assurance with samate reference dataset, tool standards, and studies

2007 IEEE/AIAA 26th Digital Avionics Systems Conference Pub Date : 2007-12-04 DOI:10.1109/DASC.2007.4391957

Paul E. Black

{"title":"Software assurance with samate reference dataset, tool standards, and studies","authors":"Paul E. Black","doi":"10.1109/DASC.2007.4391957","DOIUrl":null,"url":null,"abstract":"Today's avionics systems depend more and more on software from many sources: vendors, subcontractors, in-house, and open source. System interactions are exposed to external agents in contexts from air-to-ground links to OS patches downloaded via the Internet. This is a huge amount of software with the risk of attack from distant global sites. Yet users need assurance that the software will work and not create security problems. We focus on NIST's Software Assurance Metrics And Tool Evaluation (SAMATE) project and its contribution. SAMATE is developing specifications, metrics, and automated test suites for software assurance tools. For instance, source code security analyzers can help developers produce software with fewer security flaws. They can also help identify malicious code and poor coding practices that lead to vulnerabilities. The project's publicly available reference dataset, the SRD, contains more than 1800 flawed (and fixed!) program examples to help evaluate software assurance tools and algorithms. These metrics and reference datasets help purchasers confirm tool vendors' claims. We also study the assurance impact of tool use, methods, and techniques.","PeriodicalId":242641,"journal":{"name":"2007 IEEE/AIAA 26th Digital Avionics Systems Conference","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE/AIAA 26th Digital Avionics Systems Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DASC.2007.4391957","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Today's avionics systems depend more and more on software from many sources: vendors, subcontractors, in-house, and open source. System interactions are exposed to external agents in contexts from air-to-ground links to OS patches downloaded via the Internet. This is a huge amount of software with the risk of attack from distant global sites. Yet users need assurance that the software will work and not create security problems. We focus on NIST's Software Assurance Metrics And Tool Evaluation (SAMATE) project and its contribution. SAMATE is developing specifications, metrics, and automated test suites for software assurance tools. For instance, source code security analyzers can help developers produce software with fewer security flaws. They can also help identify malicious code and poor coding practices that lead to vulnerabilities. The project's publicly available reference dataset, the SRD, contains more than 1800 flawed (and fixed!) program examples to help evaluate software assurance tools and algorithms. These metrics and reference datasets help purchasers confirm tool vendors' claims. We also study the assurance impact of tool use, methods, and techniques.

查看原文本刊更多论文

具有相同参考数据集、工具标准和研究的软件保证

今天的航空电子系统越来越依赖于来自许多来源的软件:供应商、分包商、内部和开源。从空对地链接到通过互联网下载的操作系统补丁，系统交互暴露给外部代理。这是一个庞大的软件，有来自遥远的全球站点的攻击风险。然而，用户需要确保软件能够正常工作，不会产生安全问题。我们关注NIST的软件保证度量和工具评估(SAMATE)项目及其贡献。SAMATE正在为软件保证工具开发规范、度量和自动化测试套件。例如，源代码安全分析器可以帮助开发人员生成具有更少安全缺陷的软件。它们还可以帮助识别导致漏洞的恶意代码和糟糕的编码实践。该项目的公开参考数据集SRD包含超过1800个有缺陷(和修复!)的程序示例，以帮助评估软件保证工具和算法。这些指标和参考数据集帮助购买者确认工具供应商的声明。我们还研究了工具使用、方法和技术对保证的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE/AIAA 26th Digital Avionics Systems Conference

自引率

0.00%

发文量