Paul E. Black
YOU?
Author Swipe
View article: The Software Assurance Reference Dataset (SARD)
The Software Assurance Reference Dataset (SARD) Open
The Software Assurance Reference Dataset (SARD) has over 450 000 buggy programs in five languages covering more than 150 classes of weaknesses. We describe the principles of the collection and the very diverse content. We explain how to se…
View article: Report on Secure Hardware Assurance Reference Dataset (SHARD) program
Report on Secure Hardware Assurance Reference Dataset (SHARD) program Open
Significant vulnerabilities have been found in chips. Computer programs and methods have been developed to prevent, find, and mitigate them. We proposed Secure Hardware Assurance Reference Dataset (SHARD) as a repository of reference examp…
View article: Vulnerability test suite generator (VTSG) version 3
Vulnerability test suite generator (VTSG) version 3 Open
The Vulnerability Test Suite Generator (VTSG) Version 3 can create vast numbers of synthetic programs with and without specific flaws or vulnerabilities. Such programs are useful for measuring static analysis tools. VTSG was designed by th…
View article: SATE VI report :
SATE VI report : Open
The SATE VI report presents the results of a security-focused bug finding evaluation exercise carried out from 2018 to 2023 on various code bases using static analysis tools. Existing bugs were extracted from bug tracker reports and the CV…
View article: Historical notes on shell sort, Bresenham's algorithm, and the Chinese postman problem
Historical notes on shell sort, Bresenham's algorithm, and the Chinese postman problem Open
These are historical notes, from those involved, on the names and origins of Shell sort, Bresenham's Algorithm, and the Chinese Postman Problem.
View article: Guidelines on minimum standards for developer verification of software
Guidelines on minimum standards for developer verification of software Open
Executive Order (EO) 14028, Improving the Nation s Cybersecurity, 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes el…
View article: DADS:
DADS: Open
The Dictionary of Algorithms and Data Structures (DADS) is a publicly accessible dictionary of generally useful algorithms, data structures, algorithmic techniques, archetypal problems, and related definitions available at https://nist.gov…
View article: SATE VI Ockham Sound Analysis Criteria
SATE VI Ockham Sound Analysis Criteria Open
Static analyzers examine the source or executable code of programs to find problems.Many static analyzers use heuristics or approximations to examine programs with millions of lines of code for hundreds of classes of problems.The Ockham So…
View article: Evaluation of LV distribution network with active network management under fault conditions
Evaluation of LV distribution network with active network management under fault conditions Open
The electrification of heat and transport, and the increased penetration of distributed generation (DG), have the potential to significantly impact thermal constraints, voltage saturation and fault levels of Northern Ireland Electricity Ne…
View article: Formal methods for statistical software
Formal methods for statistical software Open
Statistical software" encompasses several distinct classes of software.This report explains what formal methods, tools, and approaches may be able to increase assurance of results of using statistical software and implementing differential…
View article: Information Exposure (IEX): A New Class in the Bugs Framework (BF)
Information Exposure (IEX): A New Class in the Bugs Framework (BF) Open
Exposure of sensitive information can be harmful on its own. In addition, it could enable further attacks. A rigorous and unambiguous definition of information exposure faults can help researchers and practitioners identify them, thus avoi…
View article: SATE V report: ten years of static analysis tool expositions
SATE V report: ten years of static analysis tool expositions Open
Software assurance has been the focus of the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) team for many years.The Static Analysis Tool Exposition (SATE) is one of the team's …
View article: Juliet 1.3 test suite: changes from 1.2
Juliet 1.3 test suite: changes from 1.2 Open
The Juliet test suite is a systematic set of thousands of small test programs in C/C++ and Java, exhibiting over 100 classes of errors, such as buffer overflow, OS injection, hardcoded password, absolute path traversal, NULL pointer derefe…
View article: A Software Assurance Reference Dataset: Thousands of Programs With Known Bugs
A Software Assurance Reference Dataset: Thousands of Programs With Known Bugs Open
The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs. The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injectio…
View article: Impact of code complexity on software analysis
Impact of code complexity on software analysis Open
The Software Assurance Metrics and Tool Evaluation (SAMATE) team studied thousands of warnings from static analyzers.Tools have difficulty distinguishing between the absence of a weakness and the presence of a weakness that is buried in ot…
View article: Defeating Buffer Overflow: A Trivial but Dangerous Bug
Defeating Buffer Overflow: A Trivial but Dangerous Bug Open
The C programming language was invented more than 40 years ago. It is infamous for buffer overflows. We have learned a lot about computer science, language design, and software engineering since then. Because it is unlikely that we will st…
View article: Dramatically reducing software vulnerabilities: Report to the White House Office of Science and Technology Policy
Dramatically reducing software vulnerabilities: Report to the White House Office of Science and Technology Policy Open
The call for a dramatic reduction in software vulnerability is heard from multiple sources, recently from the February 2016 Federal Cybersecurity Research and Development Strategic Plan.This plan starts by describing well known risks: curr…
View article: SATE V Ockham Sound Analysis Criteria
SATE V Ockham Sound Analysis Criteria Open
Static analyzers examine the source or executable code of programs to find problems.Many static analyzers use heuristics or approximations to handle programs up to millions of lines of code.We established the Ockham Sound Analysis Criteria…
View article: A Rational Foundation for Software Metrology
A Rational Foundation for Software Metrology Open
Much software research and practice involves ostensible measurements of software, yet little progress has been made on a metrological foundation like the International System of Units (SI) for those measurements since the work of Gray, Hog…