The SAMATE Project Department of Homeland Security


Static Analysis Tool Exposition (SATE) IV Workshop

Finding Truth in Juliet and CVEs

A SAMATE meeting

from, used with permission


29 March 2012

co-located with the

Software Assurance Forum


McLean, Virginia, USA


Software must be developed to have high quality: quality cannot be "tested in". However auditors, certifiers, and others must assess the quality of software they receive. "Black-box" software testing cannot realistically find maliciously implanted Trojan horses or subtle errors which have many preconditions. For maximum reliability and assurance, static analysis must be used in addition to good development and testing. Static analyzers are quite capable and are developing quickly. Yet, developers, auditors, and examiners could use far more capabilities.

The goals of the Static Analysis Tool Exposition (SATE) IV are to:

  • Enable empirical research based on large test sets
  • Encourage improvement of tools
  • Speed adoption of tools by objectively demonstrating their use on real software
Briefly, participating tool makers run their tools on a set of programs chosen by NIST. Researchers led by NIST analyze the tool reports. This workshop is the first chance the public will have to hear SATE IV observations and conclusions. This year the set of programs includes four large, open-source tools selected for having known (CVE-reported) vulnerabilities and also most of the Juliet test suite, almost 60,000 synthetic test cases in C/C++ and Java.

This workshop has two goals. First, gather participants and organizers of SATE to share experiences, report interesting observations, and discuss lessons learned. The workshop is also an opportunity for attendees to help shape the next exposition, SATE V.

The second goal is to convene researchers, tool developers, and government and industrial users of software assurance tools to define obstacles to urgently-needed software assurance capabilities and identify engineering or research approaches to overcome them.

This workshop follows the SATE 2010 Workshop, SATE 2009 Workhop, Static Analysis Tool Exposition 2008 (at SAW), the Static Analysis Summit II (at SIGAda 2007), and the first Static Analysis Summit in 2006.

Who Should Attend?

Those who develop, use, purchase, or review software assurance tools and have interest in details of tool performance should attend. Academicians who are working in the area of semi- or completely automated tools to review or assess the security properties of software are especially welcome. We encourage participation from researchers, students, developers, and assurance tool users in industry, government, and universities.

Important Date

  • Thursday *, 29 March: Workshop


This is a free event that is open to the public, but registration is required. To pre-register, please call 301-596-6031 or email sending:

  • First and last name
  • Telephone number
  • Organization
  • Country of citizenship
  • Email address

MITRE provides maps, location, and some directions.

Final Program

The program consists of presentations by participants in and organizers of Static Analysis Tool Exposition (SATE) IV.

8:30 AM Welcome to SATE IV - Paul E. Black, NIST, SATE organizer

8:40 SATE IV background, Vadim Okun, NIST, SATE organizer

9:00 Static Analysis @ CTI, Richard Carback, CTI, SATE organizer

9:30 Overview of the Juliet test suite, Tim Boland, NIST, SATE organizer

9:45 break

10:30 Analysis of Synthetic Test Cases (Juliet) Results, Aurelien Delaitre, NIST, SATE organizer

11:15 Summary of LDRA’s participation in SATE 2011, Clive Pygott, LDRA, SATE participant

11:45 AM lunch

1:00 PM Sticking to the Facts II: CAS 2011 Study of Static Analysis Tools, Kathleen Erno, CAS/NSA, SATE contributor

1:30 Top 10 User Mistakes with Static Analysis, Arthur Hicken, ParaSoft, SATE participant

2:30 break

2:50 Some Observations from SATE Result Analysis, Vadim Okun, NIST, SATE organizer

3:15 Discussion session: planning the next SATE Paul E. Black, NIST, SATE organizer

5:00 finish


General Chairs

Paul E. Black (NIST)

Elizabeth Fong (NIST)

Program Planning Committee

George Dands (Convergent Technologies)

Aurelien Delaitre (NIST)

Scott Kagan (Lockheed-Martin)

Vadim Okun (NIST)

NOTE: Date change

This workshop was originally scheduled for Friday, 30 March. The day was changed to Thursday, 29 March. We regret any inconvenience this change of day causes.