NIST improves tool for hardening software against cyber attack

Nov 23, 2011

(PhysOrg.com) -- Computer scientists at the National Institute of Standards and Technology (NIST) have dramatically enlarged a database designed to improve applications that help programmers find weaknesses in software. This database, the SAMATE Reference Dataset (SRD), version 4.0, is a freely available online tool aimed at helping programmers fortify their creations against hackers.

A complex piece of software like an or a usually requires the combined effort of multiple to write up to millions of lines of computer code. Before their software hits the market, it first must be put through its paces to make sure it not only works as desired under a multitude of different circumstances, but also that it is not vulnerable to cyber attack. The act of checking out software in this fashion has become so complicated in and of itself that developers created another type of labor-saving program called a "static analyzer" to help with the checking. Static analyzers doggedly run through the code looking for obvious problems, but they can only find the weaknesses they have been programmed to find—which is where the SRD comes in.

"The SRD is for companies that build static analyzers, whose use is expanding within the software industry," says SRD project leader Michael Koo. "It will help their products catch the most common errors in the software they are supposed to check. It brings rigor into software assurance, so that the public can be more confident that there are fewer dangerous weaknesses in the software they use."

The weaknesses might be compared to grammatical errors in a page of writing—errors that inadvertently instruct a computer to do things that leave itself open to . SAMATE, which stands for Software Assurance Metrics And Tool Evaluation, is a NIST project with the goal of minimizing these errors in commercial software. SRD version 4.0 contains 175 broad categories of weakness types that encompass more than 60,000 specific cases of code errors—an addition of 100 more categories and 30 times the number of cases in SRD version 3.0. Each specific case is about a page of computer code showing a problematic way of composing functions, loops, or logic operations written in languages such as Java, C and C++. The dataset is fully searchable by language, type of weakness and code construct, and search results are available in a downloadable Zip file.

The NIST team says the next step for improving the dataset is to include errors in more languages, as well as in far longer stretches of . The 4.0 release includes mostly short examples, but Koo says there are plans to explore vulnerabilities in large open-source software packages of up to a million lines of code and expand the SRD to include these in the near future. "We welcome contributions from other computer security researchers," Koo says.

Explore further: Android gains in US, basic phones almost extinct

More information: The SAMATE Reference Dataset (SRD), version 4.0 is available online at samate.nist.gov/SRD

add to favorites email to friend print save as pdf

Related Stories

NIST releases major update of popular REFPROP database

Apr 13, 2007

The National Institute of Standards and Technology has released an expanded and upgraded version of a popular database, a computer package for calculating the properties and modeling the behavior of fluids.

Software 'Chipper' Speeds Debugging

Oct 01, 2007

Computer scientists at UC Davis have developed a technique to speed up program debugging by automatically "chipping" the software into smaller pieces so that bugs can be isolated more easily.

Software That's Resilient Against Hacker Attack

Oct 29, 2009

(PhysOrg.com) -- A team of researchers headed by Martin Rinard, a professor of computer science at MIT, have developed new software that automatically patches errors in deployed software in a matter of minutes.

Java Security Traps Getting Worse

May 10, 2007

A year ago at JavaOne , Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled " 12 Java Technology Security Traps and How to Avoid Them ."

Recommended for you

Android gains in US, basic phones almost extinct

19 hours ago

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

Impact glass stores biodata for millions of years

(Phys.org) —Bits of plant life encapsulated in molten glass by asteroid and comet impacts millions of years ago give geologists information about climate and life forms on the ancient Earth. Scientists ...