Presentation is loading. Please wait.

Presentation is loading. Please wait.

SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project

Published byMckayla Swanick Modified over 9 years ago

Similar presentations

Presentation on theme: "SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project"— Presentation transcript:

1 SATE 2010 Background Vadim Okun, NIST vadim.okun@nist.gov October 1, 2010 The SAMATE Project http://samate.nist.gov/

2 2 Cautions on Using SATE Data Our analysis procedure has limitations In practice, users write special rules, suppress false positives, and write code in certain ways to minimize tool warnings. There are many other factors that we did not consider: user interface, integration, etc. So do NOT use our analysis to rate/choose tools

3 Overview 3 X X X X Human findings CVE entries Program Buf Leak Race … Security? Quality? Insignificant? False? ? Tool A Tool B Tool C X Tools that work on source code

4 4 SATE 2010 timeline Choose test programs (2 C, 1 C++, 2 Java). Provide them to tool makers (28 June) Teams run their tools, return reports (30 July) Analyze the tool reports (22 Sept) Report at the workshop (1 Oct) Teams submit a research paper (Dec) Publish data (between Feb and May 2011)

5 5 Participating teams Armorize CodeSecure Concordia University Marfcat Coverity Static Analysis for C/C++ Cppcheck Grammatech CodeSonar LDRA Testbed Red Lizard Software Goanna Seoul National University Sparrow SofCheck Inspector Veracode –a service company

6 6 Test cases Dovecot: secure IMAP and POP3 server – C Pebble: weblog server – Java Wireshark - C Google Chrome – C++ Apache Tomcat - Java All are open source programs All have aspects relevant to security From 30k LoC (Pebble) to 4.7M LoC (Chrome) CVE-based pairs (vulnerable and fixed)

7 7 Tool reports XMLHTML DB Original tool formats Teams converted reports to SATE format –Several teams also provided original reports Described environment in which they ran tool Some teams tuned their tools Several teams provided analysis of their tool warnings … SATE format

8 8 Analysis procedure Tool warnings ~60K warnings Select randomly Related to human findings 3 Selection Methods Analyze for correctness and associate Analyze the data Selected warnings Related to CVEs

9 9 Method 1 – Warning Selection For Dovecot and Pebble only We assigned severity if a tool did not Mostly avoid warnings with severity 5 (lowest) Statistically select from each warning class Select more warnings from higher severities Select 30 warnings from each of 10 tool reports –1 report had only 6 warnings –Did not analyze Marfcat warnings Total is 276

10 10 Method 2 – Human findings For Dovecot and Pebble only Security experts analyze test cases A small number of findings –Root cause, with an example trace Find related warnings from tools Goal: focus our analysis on weaknesses found most important by security experts

11 11 Method 3 - CVEs For Wireshark, Chrome, and Tomcat Identify the CVEs –Locations in code Find related warnings from tools Goal: focus our analysis on real-life exploitable vulnerabilities

12 12 Correctness categories True security weakness True quality weakness True but insignificant weakness Weakness status unknown Not a weakness

13 13 Differences from SATE 2009 Add CVE-selected test cases Include a C++ test case Larger test cases: Chrome - 4.7 MLOC More correctness categories (true quality) More detailed guidelines for analysis Still, much can be improved…

14 14 Thanks Romain Gaucher, Ram Sugasi Aurelien Delaitre, Sue Wang, Paul Black, Charline Cleraux, and other SAMATE team members Most of all, the participating teams!

15 15

16 16 Questions What weaknesses exist in real programs? What do tools report for real programs? Do tools find important weaknesses? Focus on tools that work on source code Defects that may affect security Goal is NOT too choose the “best” tools This is the 3 rd SATE (1 st in 2008)

17 17 SATE goals To enable empirical research based on large test sets To encourage improvement and adoption of tools NOT to choose the “best” tools

18 18 SATE common tool output format SQL Injection … Query is constructed with user supplied input … … one or more traces 1 to 5, with 1 – the highest optional that it is true …and other annotation

19 19 Lessons learned Guidelines for analysis often ambiguous – need to be refined even more Our analysis has inconsistencies and lapses Careful analysis takes longer than expected –We do not know the code well Tool interface is important to understand a weakness

20 20 Analysis procedure We cannot know all weaknesses in the test cases Impractical to analyze all tool warnings So analyze the following: Method 1. A subset of warnings from each tool report Method 2. Tool warnings related to manually identified weaknesses

21 21 SATE tool output format Common format in XML For each weakness –One or more trace - locations - line number and pathname –Name of weakness and (optional) CWE id –Severity: 1 to 5 (ordinal scale), with 1 – the highest –Probability that the problem is true positive –Original message from the tool –And other annotation

22 22 Our analysis Correctness of warning Associate warnings that refer to the same (or similar) weakness

Download ppt "SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project"

Similar presentations

Top 10 User Mistakes with Static Analysis Sate IV March 2012.

Top 10 User Mistakes with Static Analysis Sate IV March 2012.
High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
Software by NIC, Secretariat, Port Blair Andaman & Nicobar Administration PROMISE ver 1.2 (PROjects Monitoring and Information System for Enterprise) Slide.

Software by NIC, Secretariat, Port Blair Andaman & Nicobar Administration PROMISE ver 1.2 (PROjects Monitoring and Information System for Enterprise) Slide.
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
Understanding and Detecting Real-World Performance Bugs

Understanding and Detecting Real-World Performance Bugs
Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)

Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)
© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,

© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,
Understand Database Security Concepts

Understand Database Security Concepts
Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.
Static code check – Klocwork

Static code check – Klocwork
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
Voyager Interest Group Voyager Access Reports: what they are and how they work October 29, 2008.

Voyager Interest Group Voyager Access Reports: what they are and how they work October 29, 2008.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 6/e and are provided with permission by.

These courseware materials are to be used in conjunction with Software Engineering: A Practitioner’s Approach, 6/e and are provided with permission by.
1 Testing. 2 About Testing  The reason the program is in testing is that it probably doesn’t work!  We test to find bugs before our users and hope that.

1 Testing. 2 About Testing  The reason the program is in testing is that it probably doesn’t work!  We test to find bugs before our users and hope that.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.

Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.
1 CSc 191 - Senior Project Software Testing. 2 Preface “The amount of required study of testing techniques is trivial – a few hours over the course of.

1 CSc Senior Project Software Testing. 2 Preface “The amount of required study of testing techniques is trivial – a few hours over the course of.
Evaluating Static Analysis Tools Dr. Paul E. Black

Evaluating Static Analysis Tools Dr. Paul E. Black
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Similar presentations

Ads by Google