Quantifying Minimum-Time-To-Intrusion Based on Dynamic Software Safety Assessment
Abstract
This report presents an overview of the results of a three year DARPA-sponsored effort investigating dynamic software security analysis. This research effort resulted in the design and implementation of two major tool sets (FIST and VISTA), each comprised of many individual tools, and the development of a methodology that provides the capability to perform a thorough security analysis on a piece of security-critical software written in C or C++. The Fault Injection Security Tool (FIST) automates white-box dynamic security analysis of software using program inputs, fault injection and assertion monitoring of programs written in C and C++. The Visualizing STatic Analysis (VISTA) Tool provides a way of viewing and navigating static analysis properties of a program. Together these tools provide static and dynamic analysis capabilities that can identify security vulnerabilities in source code before its release. However, a major research issue remains. Though the current approach is able to discover security vulnerabilities through a process of fault injection and dynamic monitoring, the tools themselves are not able to determine whether such an event could occur through standard attacker input at the program interface. This effort only scratched the surface of work on this important problem.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 01, 2000
- Accession Number
- ADA386611
Entities
People
- Anup Ghosh
- Frank Charron
- Gary Mcgraw
- Jeffery M. Voas
- Michael F. Schatz