NIST Analyzes Tools that ID's Flaws Hackers Could Exploit
Fed Researchers Worked with Commercial Vendors A new report from the National Institute of Standards and Technology (NIST) examines static analyzers, software that identifies weaknesses in other programs that could be triggered accidentally or exploited by hackers.The report, SP- 500-279, will help toolmakers assess their products' ability to find security defects in other software, according to NIST. Eight tool developers, along with a ninth team of professional human reviewers, participated in the Static Analysis Tool Exposition, or SATE, an exercise by NIST and static analyzer vendors that began in February 2008 to improve the performance of these tools. SATE provided a non-competitive environment for the vendors to compare their program analysis techniques for the benefit of the entire group.
Vadim Okun, a NIST software assurance expert, says SATE was long-overdue. "Most modern software is too lengthy and complex to analyze by hand," Okun says, in a statement that accompanies the announcement of the report. "Additionally, programs that would have been considered secure 10 years ago may now be vulnerable to hackers. We're trying to focus on identifying what in a program's code might be exploitable."
Software assurance tools may be obscure outside the world of professional software development, the NIST report says, but their importance has increased as programs grow longer, more sophisticated, and increasingly are required to interact with other programs over computer networks. The number and subtlety of attacks from hackers has also increased. Because it is impossible to anticipate every combination of inputs a given piece of software might receive, NIST says, static analyzers attempt to use mathematical and logical tools to rigorously predict the behavior of the program and examine it for weaknesses based on its code or set of instructions.
The participating vendors brought a range of tools that possessed different features and analyzed programs written in two different languages. According to Okun, the depth of the field made SATE as much a learning experience for the NIST team as it was for the participants. "We intend to hold more expositions in the future and will use this experience to help shape their focus," Okun says.
And according to the organizers and several participants, NIST says, a good deal of research remains to be done. The effort was not only highly demanding, but it also showed some goals may be out of reach. While users want static analyzers to find all the problems in a piece of software, but also raise no false alarms, "that's not achievable," Okun says. "We want to show people that this isn't a trivial process, but the tools are improving and it makes good sense to use them."
NIST is planning the next SATE and invites tool makers interested in participating to get in touch with Okun at vadim.okun@nist.gov.
