Featured Product
This Week in Quality Digest Live

More Videos

Quality Insider Features
Motivate the Right Behavior
Kate Zabriskie
Misguided incentives create misaligned consequences
A Flexi-Work World Needs New Performance Appraisals
Chengyi Lin
The right metrics can align objectives in flexible work arrangements
How to Build Resilience Instead of Chasing Zero Errors
Jake Mazulewicz
Three tips from high-reliability organizations
Motion-Control Technology Aids Precision Automotive Manufacturing
Aaron Heinrich
An optimal process requires an innovative control algorithm
Talking a Walk Could Be a Step Toward Better Negotiation
Dave Gilson
Getting out of the boardroom for a stroll changes how women navigate

More Features

Quality Insider News
NewTek Designs 100th Custom Position Sensor for Downhole Drilling Application
Sensors can be customized to meet unique operating and configuration specifications
MicroRidge Systems Acquired by Riley Tronson and Andy Duvall
Founders John Schuldt and Mary Chisholm retiring after 40 years
Titan Tool Supply Introduces Industrial Micro Fiberscope Series
Reliable, remote visual inspections and diagnostics in hard-to-reach areas
Mettler Toledo Product Inspection Group Introduces HazLoc-Compliant Metal Detectors
Ideal for dusty manufacturing environments, explosive atmospheres
Starrett-Bytewise High-Speed Line Laser Sensors for TGIS Tire Uniformity Machines
Optimized for cured tire runout and bulge measurement
Simplify Electric Motor Component Testing With Marposs’ Automated AST320 Test Bench
With coupling capacitor approach that eliminates the need for an external sensor
OSI Optoelectronics Offers Expanded OEM Optoelectronics Solutions
High-performance standard and custom silicon and InGaAs photodetectors
Food Processors Can ‘Test Drive’ Conveyors
Verifying performance of products on tubular disc and cable conveyors
Vision Engineering Launches New Generation of Mantis Stereo Microscope
Third generation of a successful line

More News

NIST

Quality Insider

Report: Improving Software Tools that Improve Software

Vendors compared their program analysis techniques for the benefit of the entire market.

Published: Monday, July 20, 2009 - 11:33

(NIST: Gaithersburg, MD) -- If the shiny new software on your computer or mobile phone runs without crashing, you may have another computer program to thank—a static analyzer. Static analyzers try to find weaknesses in other programs that could be triggered accidentally or exploited by hackers. A new report by the National Institute of Standards and Technology (NIST) documents the Static Analysis Tool Exposition (SATE), an exercise by NIST and static analyzer vendors to improve the performance of these tools.

The report is the culmination of a lengthy effort to host and then digest the results of SATE, begun in February 2008 to help toolmakers assess their products’ ability to find security defects in other software. Eight tool developers, along with a ninth team of professional reviewers, participated in SATE, which provided a noncompetitive environment for the vendors to compare their program analysis techniques for the benefit of the entire group.

Software assurance tools may be obscure outside the world of professional software development, however, their importance has increased as programs grow longer, more sophisticated, and increasingly are required to interact with other programs over computer networks. The number and subtlety of attacks from hackers has also increased. Because it is impossible to anticipate every combination of inputs a given piece of software might receive, static analyzers attempt to use mathematical and logical tools to rigorously predict the behavior of the program and examine it for weaknesses based on its code or set of instructions.

NIST software assurance expert, Vadim Okun, says SATE was a long-overdue idea. “Most modern software is too lengthy and complex to analyze by hand,” explains Okun. “Additionally, programs that would have been considered secure ten years ago may now be vulnerable to hackers. We’re trying to focus on identifying what in a program’s code might be exploitable.”

The participating vendors brought a range of tools that possessed different features and analyzed programs written in two different languages. According to Okun, the depth of the field made SATE as much a learning experience for the NIST team as it was for the participants.

“We intend to hold more expositions in the future and will use this experience to help shape their focus,” Okun says.

According to the organizers and several participants, a good deal of research remains to be done. The effort was not only highly demanding, but it also showed some goals may be out of reach. While users want static analyzers to find all the problems in a piece of software, but also raise no false alarms, “That’s not achievable,” Okun says. “We want to show people that this isn’t a trivial process, but the tools are improving and it makes good sense to use them.”

The SATE report is available online at http://samate.nist.gov/docs/NIST_Special_Publication_500-279.pdf.

Discuss

About The Author

NIST’s picture

NIST

Founded in 1901, the National Institute of Standards and Technology (NIST) is a nonregulatory federal agency within the U.S. Department of Commerce. Headquartered in Gaithersburg, Maryland, NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.