7 and 8 November 2005
Long Beach, California, USA
Co-located with the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE 2005)
Funded in part by the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST) started a long-term, ambitious project, SAMATE, to improve software security assurance tools. Security is the ability of a system to maintain the confidentiality, integrity, and availability of information processed and stored by a computer. Software security assurance tools are those that help software be more secure by building security into software or determining how secure software is. Among the project's goals are:
These goals extend into all phases of the software life cycle from requirements capture through design and implementation to operation and auditing.
As noted in the Call for Papers, the purpose of the workshop is to convene researchers, developers, and government and industrial users of SSA tools to
We encourage contributions describing basic research, novel applications, and experience relevant to SSA tools and their evaluation. Topics of particular interest are:
November 7, 2005
8:30 - 9:00 : Welcome - Paul E. Black
9:00 - 10:30 : Tools and Metrics - Liz Fong
10:30 - 11:00 : Break
11:00 - 12:30 : Flaw Taxonomy and Benchmarks - Robert Martin
12:30 - 1:30 : Lunch
1:30 - 4:00 : New Techniques - Larry Wagoner
End of day 1
November 8, 2005
9:00 - 11:30 : Target Practice and Reference Dataset Discussion - Michael Kass
11:30 - 1:00 : Lunch
1:00 - 2:30 : Invited Presentation - Vadim Okun
2:30 - whenever : Open Discussion - Michael Kass
Sets of code with known flaws and vulnerabilities, with corresponding correct versions, can be references for tool testing to make research easier and to be a standard of evaluation. Working with others, we will bring reference datasets of many types of code, like Java, C, binaries, and bytecode. We welcome contributions of code you've used.
To help validate the reference datasets, we solicit proposals not exceeding 2 pages to participate in SSA tool "target practice" on the datasets. Tools can range from university projects to commercial products. Come "shoot holes" in the reference dataset. Participation is intended to demonstrate the state of the art, consequently the proposals should not be marketing write-ups, but should highlight technical contributions: techniques used, precision achieved, classes of vulnerabilities detected, suggestions for extensions to and improvements of the reference datasets, etc. The content and detail of any observations, suggestions, results, etc. shared for publication are completely voluntary and may be anonymous: participants are not obligated to share any results at all.
Accepted papers will be published in the workshop proceedings. The workshop proceedings, along with a summary of discussions and voluntary results of the reference dataset "target practice", will be published as a NIST Special Publication.
Published as "Proceedings of Workshop on Software Security Assurance Tools, Techniques, and Metrics", Elizabeth Fong ed., U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 500-265, February, 2006.
Informal proceedings, including accepted papers, several flaw taxonomies, and the reference dataset, will be given to attendees on a 32 MB USB drive with this content.
26 August Paper and tool proposal submission deadline
19 September Notification of acceptance
15 October Final camera-ready version of papers due
7-8 November Workshop
|Freeland Abbott||Georgia Tech|
|Paul Ammann||George Mason U.|
|Paul E. Black||NIST|
|Michael Hicks||U. Maryland|
|Robert A. Martin||MITRE Corp.|
|W. Bradley Martin||NSA|
|Nachiappan Nagappan||Microsoft Research|
|Samuel Redwine||James Madison U.|
|Ravi Sandhu||George Mason U.|
|Larry D. Wagoner||NSA|