The SAMATE Project

From SAMATE

SATE VI Workshop

(Static Analysis Tool Exposition)

Earning Trust, One Bug at a Time

A SAMATE meeting
https://samate.nist.gov/SATE6Workshop.html


Thursday

19 September 2019

at

MITRE-1

7525 Colshire Drive

McLean, VA 22102

USA

 

in conjunction with the

Software and Supply Chain
Assurance (SSCA) Forum


Registration

The event is FREE and open to the public, however, registration is required. Please follow link http://www.mitre.org/software-and-supply-chain-assurance-meetings to complete registration.

Anyone who plans to park a car at MITRE will need to register in advance to receive a parking pass.

Deadlines for registration:

  • Aug 16 for Non-US Citizens
  • Sept 11 for US Citizens and green card holders

SATE Overview

Software must be developed to have high quality: quality cannot be "tested in". However auditors, certifiers, and others must assess the quality of software they receive. "Black-box" software testing cannot realistically find maliciously implanted Trojan horses or subtle errors which have many preconditions. For maximum reliability and assurance, static analysis must be used in addition to good development and testing. Static analyzers are quite capable and are developing quickly. Yet, developers, auditors, and examiners could use far more capabilities.

The goals of the Static Analysis Tool Exposition (SATE) VI are to:

  • Enable empirical research based on large test sets
  • Encourage improvement of tools
  • Speed adoption of tools by objectively demonstrating their use on real software

Briefly, participating tool makers run their tools on a set of programs containing bugs. Researchers led by NIST analyze the tool reports. This workshop is the first chance the public will have to hear SATE VI observations and conclusions.

For this edition, SATE had in three tracks:

  • The Classic Track, combining the C and Java tracks from the past SATEs.
  • The Ockham Track, focusing on sound static analysis tools.
  • The Mobile Track, focusing on tools for mobile applications. This track will not be represented at the workshop.

The Classic Track focused on bug injection in a set of five large, open-source programs. The Ockham Track used the Juliet 1.3 C/C++ test suite, circa 64,000 synthetic test cases.

Workshop Goals

This workshop has two goals. First, gather participants and organizers of SATE to share experiences, report interesting observations, and discuss lessons learned. The workshop is also an opportunity for attendees to help shape the next exposition, SATE VII.

The second goal is to convene researchers, tool developers, and government and industrial users of software assurance tools to define obstacles to urgently-needed software assurance capabilities and identify engineering or research approaches to overcome them.

This workshop follows similar workshops for SATE V, SATE IV, SATE 2010, SATE 2009, and SATE 2008 (at SAW), the Static Analysis Summit II (at SIGAda 2007), and the first Static Analysis Summit in 2006.

Who Should Attend?

Those who develop, use, purchase, or review software assurance tools and have interest in details of tool performance should attend. Academicians who are working in the area of semi- or completely automated tools to review or assess the security properties of software are especially welcome. We encourage participation from researchers, students, developers, and assurance tool users in industry, government, and universities.

There is no cost to attend this workshop, but you must register in advance.

Workshop Program

The program consists of presentations by participants in and organizers of SATE VI.

Time Presentation (Click Title to Download) Speaker(s)
Organization
Duration
9:00 AM ⇩ Welcome to SATE VI Vadim Okun (SAMATE Lead) NIST 0:10:00
9:10 AM ⇩ SATE VI Background Vadim Okun (SAMATE Lead) NIST 0:20:00
9:30 AM ⇩ Bug Injector Eric Schulte (Director, Automated Software Engineering) Grammatech 0:20:00
9:50 AM ⇩ Bug Injection in SATE VI Aure (SATE VI Classic Track Lead) NIST 0:20:00
10:10 AM Break 0:30:00
10:40 AM ☓ Coverity Results and Experiences for SATE VI Robin Ristow (Manager, Sales Engineering) Synopsys 0:20:00
11:00 AM ⇩ Challenges Analyzing SATE VI Classic Track with Checkmarx CxSAST Igor Matlin (Principal Solutions Architect) Checkmarx 0:20:00
11:20 AM ☓ Using Runtime Analysis in C/C++ for Security Arthur Hicken (Chief Evangelist) Parasoft 0:20:00
11:40 AM Lunch 1:00:00
12:40 PM ⇩ SATE VI Ockham Sound Analysis Criteria Paul Black (SATE VI Ockham Track Lead) NIST 0:20:00
1:00 PM ⇩ Feedback about the experience of Frama-C in SATE VI Andre Maroneze (Researcher/Engineer), Julien Signoles (Researcher/Engineer) CEA/List 0:20:00
1:20 PM ⇩ Synergy Between Sound and Unsound Tools Matt Rhodes (Application Engineer) Mathworks 0:20:00
1:40 PM Break 0:20:00
2:00 PM ☓ Manifests, metrics, and test suite designs Alexander Hoole (Manager, Software Security Research) Microfocus 0:20:00
2:20 PM ⇩ Lessons for CodeSonar from SATE Paul Anderson (VP, Engineering) Grammatech 0:20:00
2:40 PM ⇩ SATE VI Classic Track Results Alex-Kevin Loembe (Guest Researcher) NIST 0:20:00
3:00 PM Break 0:30:00
3:30 PM ⇩ The Bugs Framework -- Your Best Friend? Irena Bojanova (Project Lead) NIST 0:20:00
3:50 PM ⇩ Discussion: SATE VII Planning SAMATE Team NIST 0:40:00
4:30 PM End
Views