SAS
From SAMATE
Static Analysis Summit
A SAMATE meeting
 |
|
Contents |
PURPOSE
"Black-box" software testing cannot realistically find maliciously implanted Trojan horses or subtle errors which have many preconditions. For maximum reliability and assurance, static analysis must be applied to all levels of software artifacts, from models to source code to byte code to binaries. As noted in the CFP the goal of this summit is to convene researchers, developers, and government and industrial users to explore the state of the art in software static analysis tools and techniques with an emphasis on software security. It is also to serve as a prelude to an international summit in Spring 2007.
We solicit contributions describing basic research, novel applications, experience, and proposals relevant to static analysis tools, techniques, and their evaluation. Questions and topics of particular interest are:
- What is possible with today's techniques?
- What is feasible with today's tools?
- What is NOT possible or feasible with current tools or techniques?
- Where are the gaps that further research might fill?
- What is the minimum performance bar for a source code analyzer?
- Static analysis' contribution to software security assurance
- Flaw catching effectiveness of methods, techniques, or tools
- Benchmarks or reference datasets
- Software security assurance metrics
- How can users, developers, or researchers evaluate the performance of static analysis tools?
- User experience drawing useful lessons or comparisons
SUBMISSIONS
Papers should be from 1 to 8 pages long. Papers exceeding eight pages will not be reviewed. All submissions should clearly identify their novel contributions.
Submit papers electronically in PDF or ASCII text by 20 May 2006 to Liz Fong <efong@nist.gov>. Your submission constitutes permission for us to publish it in workshop proceedings.
We will notify submitters of acceptance by 1 June 2006.
ATTENDANCE and REGISTRATION
You do not have to have an accepted paper to attend. We invite those who develop, use, purchase, or review software security evaluation tools. Academicians who are working in the area of semi- or completely automated tools to review or assess the security properties of software are especially welcome. We are looking for participation from researchers, students, developers, and users in industry, government, and universities.
On-line registration is closed. To register, please send email to Teresa Vicente <teresa.vicente@nist.gov> and pay when you register. NIST's conferences SAS page has registration contact information.
NIST has a visitor information web page with information on accomodations, directions, and the local area. Please note that the summit will be at NIST North, not on the main campus.
PROGRAM
8:30 - 9:00 : registration
9:00 - 9:30 :
- Welcome - Cita Furlani, Director, Information Technology Laboratory, NIST
- Program Presentation and Charge to Attendees - Paul E. Black
9:30 - 10:20 : moderator: Sam Redwine
- Secure Coding Standards - Robert C. Seacord
- Language Design for Verification - Rod Chapman and Peter Amey
10:20 - 10:45 : Break
10:45 - 12:00 : moderator: Jack Danahy
- Automated Calculation of Software Behavior with Function Extraction (FX) for Trustworthy and Predictable Execution - Richard C. Linger, Stacy J. Prowell, and Mark Pleszkoch
- Support for Whole-Program Analysis and the Verification of the One-Definition Rule in C++ - Dan Quinlan, Richard Vuduc, Thomas Panas, Jochen Härdtlein, and Andreas Sæbjørnsen
- Towards the Industrial Scale Development of Custom Static Analyzers - John Anton, Eric Bush, Allen Goldberg, Klaus Havelund, Doug Smith, and Arnaud Venet
12:00 - 1:00 : Lunch
1:00 - 1:30 : Keynote: Dawson Engler
- Experiences Using Static Analysis to Find Lots of Bugs in Real Code
1:30 - 2:45 : moderator: W. Bradley Martin
- Verification Tools for Software Security Bugs - Frédéric Michaud and Frédéric Painchaud
- A Framework for Creating Custom Rules for Static Analysis Tools - Eric Dalci and John Steven
- High Fidelity Static Analysis for Secure Enterprise Software Requires Platform Knowledge - Nikolai Mansourov, Djenana Campara, Norman Rajala, and Sumeet Malhotra
2:45 - 3:10 : Break
3:10 - 4:00 : moderator: Michael Koo
- A Status Update: The Common Weakness Enumeration - Robert A. Martin and Sean Barnum
- A Source Code Analysis Tool Specification - Michael Kass and Michael Koo
4:00 - 4:30 :
- The next, international meeting: Format & structure? Where? When? Who else should be invited?
PUBLICATION
Accepted papers, along with Dawson Engler's keynote presentations, were published in the workshop proceedings as NIST Special Publication 500-262.
IMPORTANT DATES
20 May 2006 - Paper submission deadline
1 June 2006 - Author notification
13 June 2006 - Final camera-ready copy due
29 June 2006 - Summit
ORGANIZERS
Co-Chairs
| Paul E. Black | NIST | paul.black@nist.gov |
| Helen Gill | NSF | hgill@nsf.gov |
| W. Bradley Martin | NSA | wbmarti@tycho.nsa.gov |
Program Committee
| Freeland Abbott | Georgia Tech |
| Paul Ammann | George Mason U. |
| Paul Anderson | GrammaTech |
| John Anton | Kestrel |
| Ira Baxter | Semantic Designs |
| Rogier Boon | ITsec Security |
| Djenna Campara | KDM Analytics |
| Pravir Chandra | Secure Software |
| Ben Chelf | Coverity |
| Brian Chess | Fortify |
| Jack Danahy | Ounce Labs |
| Elizabeth Fong | NIST |
| Larry Johnsen | Parasoft |
| Michael Kass | NIST |
| Michael Koo | NIST |
| Robert E. Lee | GMRI |
| Robert A. Martin | MITRE Corp. |
| Vadim Okun | NIST |
| Daniel J. Quinlan | LLNL |
| Ioana Rus | Fraunhofer USA |
| Ravi Sandhu | George Mason U. |
| Robert C. Seacord | CERT/CC |
Local Arrangements
Liz Fong
efong@nist.gov
Romain Gaucher
romain.gaucher@nist.gov