Nist samate project and omg
Download
1 / 9

NIST SAMATE Project and OMG - PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on

NIST SAMATE Project and OMG. Michael Kass NIST Information Technology Laboratory http://samate.nist.gov March 11, 2008. Overview. NIST SAMATE Project Testing the Tools Automated Test Case Generation CWE Formalization SAMATE and CWE Effectiveness Program TCG: Where are we now?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'NIST SAMATE Project and OMG' - rico


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Nist samate project and omg

NIST SAMATE Project and OMG

Michael Kass

NIST Information Technology Laboratory

http://samate.nist.gov

March 11, 2008


Overview
Overview

  • NIST SAMATE Project

  • Testing the Tools

  • Automated Test Case Generation

  • CWE Formalization

  • SAMATE and CWE Effectiveness Program

  • TCG: Where are we now?

  • Other SAMATE work


Samate software assurance metrics and tool evaluation project
SAMATESoftware Assurance Metrics and Tool Evaluation Project

  • Co-sponsored by DHS to:

    • Create tests and tool specifications for software assurance (SwA) tool evaluations

    • Develop metrics for measuring SwA tool effectiveness

    • Identify gaps in current SwA technology

    • Make recommendations to DHS for areas of research


Testing the tools
Testing the Tools

  • SAMATE Reference Dataset (SRD)

    • Online repository of tool tests

    • Thousands of source code samples containing examples of CWE’s

      • Discrete tests – developed by NIST, contributed by tool developers, academia and public

      • Tests are based upon interpretation of a particular weakness definition (currently no formal white-box definitions)

      • Tests are freely available at http://samate.nist.gov/SRD


Automated test case generation tcg

Formal CWE Definitions (SBVR/KDM)

Automated Test Case Generation (TCG)

KDM

  • Funded by DHS

  • Part of SAMATE effort to expand SRD to cover as many CWE’s as possible

  • Based upon OMG MDA Technology (MOF, UML, XMI)

    • Uses formalized CWE definitions (SBVR)

      • Contractual Formalization that is based on OMG standard, Semantics of Business Vocabulary and Rules (SBVR) and

      • Technical Formalization that is based on OMG standard, Knowledge Discovery Metamodel (KDM)

Code Analysis Tool

Tool Tests (code)


Cwe formalization
CWE Formalization

  • White Box Definitions : Focus on the structure patterns of the inner components and their interactions (that determine certain observable behavior)

    • Provide “compliance points” that:

      • Describe patterns of code (as they can be directly identified in code)

      • Identify discernable properties of patterns of code

      • Enable automation

      • Enable direct step-by-step comparisons of the decision procedures implemented within tool


Samate and cwe effectiveness program
SAMATE and CWE Effectiveness Program

  • Long-term goal : To auto-generate tool tests using formal CWE definitions in collaboration with MITRE’s CWE Effectiveness program

    • Provide tests “ad hoc” to tool developers

    • Developers run tests against their tool

    • Developers can publish test results


Tcg where are we now
TCG: Where are we now?

  • TCG Status:

    • Can generate tests for 3 CWE’s

    • Near term, NIST will expand formal CWE definitions to 25 “high priority” CWE’s based upon their:

      • Occurrence

      • Severity

      • Recognized by tools today

    • Long term, TGC will cover as many CWEs as possible

      • With coding complexities


Other samate projects
Other SAMATE Projects

  • Ongoing work

    • Developing tests for web application scanners

    • Adding to existing tests for source code security analyzers

    • Performing tool effectiveness studies

  • New areas

    • Testing binary analyzers

    • The static analyzer tool exposition (SATE)

    • Software transparency/pedigree information

    • Malware research protocols