Quantifying Minimum-Time-To-Intrusion Based on Dynamic Software Safety Assessment
Final technical rept. Sep 1995-Sep 1998
RELIABLE SOFTWARE TECHNOLOGIES CORP STERLING VA
Pagination or Media Count:
This report presents an overview of the results of a three year DARPA-sponsored effort investigating dynamic software security analysis. This research effort resulted in the design and implementation of two major tool sets FIST and VISTA, each comprised of many individual tools, and the development of a methodology that provides the capability to perform a thorough security analysis on a piece of security-critical software written in C or C. The Fault Injection Security Tool FIST automates white-box dynamic security analysis of software using program inputs, fault injection and assertion monitoring of programs written in C and C. The Visualizing STatic Analysis VISTA Tool provides a way of viewing and navigating static analysis properties of a program. Together these tools provide static and dynamic analysis capabilities that can identify security vulnerabilities in source code before its release. However, a major research issue remains. Though the current approach is able to discover security vulnerabilities through a process of fault injection and dynamic monitoring, the tools themselves are not able to determine whether such an event could occur through standard attacker input at the program interface. This effort only scratched the surface of work on this important problem.
- Computer Programming and Software