nist samate project and omg
Download
Skip this Video
Download Presentation
NIST SAMATE Project and OMG

Loading in 2 Seconds...

play fullscreen
1 / 9

NIST SAMATE Project and OMG - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

NIST SAMATE Project and OMG. Michael Kass NIST Information Technology Laboratory http://samate.nist.gov March 11, 2008. Overview. NIST SAMATE Project Testing the Tools Automated Test Case Generation CWE Formalization SAMATE and CWE Effectiveness Program TCG: Where are we now?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'NIST SAMATE Project and OMG' - rico


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nist samate project and omg

NIST SAMATE Project and OMG

Michael Kass

NIST Information Technology Laboratory

http://samate.nist.gov

March 11, 2008

overview
Overview
  • NIST SAMATE Project
  • Testing the Tools
  • Automated Test Case Generation
  • CWE Formalization
  • SAMATE and CWE Effectiveness Program
  • TCG: Where are we now?
  • Other SAMATE work
samate software assurance metrics and tool evaluation project
SAMATESoftware Assurance Metrics and Tool Evaluation Project
  • Co-sponsored by DHS to:
    • Create tests and tool specifications for software assurance (SwA) tool evaluations
    • Develop metrics for measuring SwA tool effectiveness
    • Identify gaps in current SwA technology
    • Make recommendations to DHS for areas of research
testing the tools
Testing the Tools
  • SAMATE Reference Dataset (SRD)
    • Online repository of tool tests
    • Thousands of source code samples containing examples of CWE’s
      • Discrete tests – developed by NIST, contributed by tool developers, academia and public
      • Tests are based upon interpretation of a particular weakness definition (currently no formal white-box definitions)
      • Tests are freely available at http://samate.nist.gov/SRD
automated test case generation tcg

Formal CWE Definitions (SBVR/KDM)

Automated Test Case Generation (TCG)

KDM

  • Funded by DHS
  • Part of SAMATE effort to expand SRD to cover as many CWE’s as possible
  • Based upon OMG MDA Technology (MOF, UML, XMI)
    • Uses formalized CWE definitions (SBVR)
      • Contractual Formalization that is based on OMG standard, Semantics of Business Vocabulary and Rules (SBVR) and
      • Technical Formalization that is based on OMG standard, Knowledge Discovery Metamodel (KDM)

Code Analysis Tool

Tool Tests (code)

cwe formalization
CWE Formalization
  • White Box Definitions : Focus on the structure patterns of the inner components and their interactions (that determine certain observable behavior)
    • Provide “compliance points” that:
      • Describe patterns of code (as they can be directly identified in code)
      • Identify discernable properties of patterns of code
      • Enable automation
      • Enable direct step-by-step comparisons of the decision procedures implemented within tool
samate and cwe effectiveness program
SAMATE and CWE Effectiveness Program
  • Long-term goal : To auto-generate tool tests using formal CWE definitions in collaboration with MITRE’s CWE Effectiveness program
    • Provide tests “ad hoc” to tool developers
    • Developers run tests against their tool
    • Developers can publish test results
tcg where are we now
TCG: Where are we now?
  • TCG Status:
    • Can generate tests for 3 CWE’s
    • Near term, NIST will expand formal CWE definitions to 25 “high priority” CWE’s based upon their:
      • Occurrence
      • Severity
      • Recognized by tools today
    • Long term, TGC will cover as many CWEs as possible
      • With coding complexities
other samate projects
Other SAMATE Projects
  • Ongoing work
    • Developing tests for web application scanners
    • Adding to existing tests for source code security analyzers
    • Performing tool effectiveness studies
  • New areas
    • Testing binary analyzers
    • The static analyzer tool exposition (SATE)
    • Software transparency/pedigree information
    • Malware research protocols
ad