The SAMATE Project Department of Homeland Security



Static Analysis Summit

A SAMATE meeting

29 June 2006

U.S. National Institute of Standards and Technology

NIST North room 152

Gaithersburg, MD, USA



"Black-box" software testing cannot realistically find maliciously implanted Trojan horses or subtle errors which have many preconditions. For maximum reliability and assurance, static analysis must be applied to all levels of software artifacts, from models to source code to byte code to binaries. As noted in the CFP the goal of this summit is to convene researchers, developers, and government and industrial users to explore the state of the art in software static analysis tools and techniques with an emphasis on software security. It is also to serve as a prelude to an international summit in Spring 2007.

We solicit contributions describing basic research, novel applications, experience, and proposals relevant to static analysis tools, techniques, and their evaluation. Questions and topics of particular interest are:

  • What is possible with today's techniques?
  • What is feasible with today's tools?
  • What is NOT possible or feasible with current tools or techniques?
  • Where are the gaps that further research might fill?
  • What is the minimum performance bar for a source code analyzer?
  • Static analysis' contribution to software security assurance
  • Flaw catching effectiveness of methods, techniques, or tools
  • Benchmarks or reference datasets
  • Software security assurance metrics
  • How can users, developers, or researchers evaluate the performance of static analysis tools?
  • User experience drawing useful lessons or comparisons


Papers should be from 1 to 8 pages long. Papers exceeding eight pages will not be reviewed. All submissions should clearly identify their novel contributions.

Submit papers electronically in PDF or ASCII text by 20 May 2006 to Liz Fong <>. Your submission constitutes permission for us to publish it in workshop proceedings.

We will notify submitters of acceptance by 1 June 2006.


You do not have to have an accepted paper to attend. We invite those who develop, use, purchase, or review software security evaluation tools. Academicians who are working in the area of semi- or completely automated tools to review or assess the security properties of software are especially welcome. We are looking for participation from researchers, students, developers, and users in industry, government, and universities.

On-line registration is closed. To register, please send email to Teresa Vicente <> and pay when you register. NIST's conferences SAS page has registration contact information.

NIST has a visitor information web page with information on accomodations, directions, and the local area. Please note that the summit will be at NIST North, not on the main campus.


8:30 - 9:00 : registration

9:00 - 9:30 :

Welcome - Cita Furlani, Director, Information Technology Laboratory, NIST
Program Presentation and Charge to Attendees - Paul E. Black

9:30 - 10:20 : moderator: Sam Redwine

  • Secure Coding Standards - Robert C. Seacord
  • Language Design for Verification - Rod Chapman and Peter Amey

10:20 - 10:45 : Break

10:45 - 12:00 : moderator: Jack Danahy

  • Automated Calculation of Software Behavior with Function Extraction (FX) for Trustworthy and Predictable Execution - Richard C. Linger, Stacy J. Prowell, and Mark Pleszkoch
  • Support for Whole-Program Analysis and the Verification of the One-Definition Rule in C++ - Dan Quinlan, Richard Vuduc, Thomas Panas, Jochen Härdtlein, and Andreas Sæbjørnsen
  • Towards the Industrial Scale Development of Custom Static Analyzers - John Anton, Eric Bush, Allen Goldberg, Klaus Havelund, Doug Smith, and Arnaud Venet

12:00 - 1:00 : Lunch

1:00 - 1:30 : Keynote: Dawson Engler

Experiences Using Static Analysis to Find Lots of Bugs in Real Code

1:30 - 2:45 : moderator: W. Bradley Martin

  • Verification Tools for Software Security Bugs - Frédéric Michaud and Frédéric Painchaud
  • A Framework for Creating Custom Rules for Static Analysis Tools - Eric Dalci and John Steven
  • High Fidelity Static Analysis for Secure Enterprise Software Requires Platform Knowledge - Nikolai Mansourov, Djenana Campara, Norman Rajala, and Sumeet Malhotra

2:45 - 3:10 : Break

3:10 - 4:00 : moderator: Michael Koo

  • A Status Update: The Common Weakness Enumeration - Robert A. Martin and Sean Barnum
  • A Source Code Analysis Tool Specification - Michael Kass and Michael Koo

4:00 - 4:30 :

The next, international meeting: Format & structure? Where? When? Who else should be invited?


Accepted papers, along with Dawson Engler's keynote presentations, were published in the workshop proceedings as NIST Special Publication 500-262.


20 May 2006 - Paper submission deadline
  1 June 2006 - Author notification
13 June 2006 - Final camera-ready copy due
29 June 2006 - Summit



Paul E. Black NIST
Helen Gill NSF
W. Bradley Martin NSA

Program Committee

Freeland Abbott Georgia Tech
Paul Ammann George Mason U.
Paul Anderson GrammaTech
John Anton Kestrel
Ira Baxter Semantic Designs
Rogier Boon ITsec Security
Djenna Campara KDM Analytics
Pravir Chandra Secure Software
Ben Chelf Coverity
Brian Chess Fortify
Jack Danahy Ounce Labs
Elizabeth Fong NIST
Larry Johnsen Parasoft
Michael Kass NIST
Michael Koo NIST
Robert E. Lee GMRI
Robert A. Martin MITRE Corp.
Vadim Okun NIST
Daniel J. Quinlan LLNL
Ioana Rus Fraunhofer USA
Ravi Sandhu George Mason U.
Robert C. Seacord CERT/CC

Local Arrangements

Liz Fong

Romain Gaucher