On May 31, NIST hosted the 6th Static Analysis Tool Exposition (SATE VI) Workshop. Participating tool makers run their static analyzer on a set of programs, and researchers led by NIST analyze the tool reports. Participants shared results and experiences at the workshop.
- SATE overview
- Classic track
- Ockham criteria track
- Mobile track
- General discussion
The classic track combines the production, CVE and synthetic tracks from the previous SATEs. In SATE VI, we intend to seed a significant number of vulnerabilities in large software, combining the advantages of all three of the old tracks into one. We will be able to measure more aspects of tool effectiveness (recall, precision, etc.) while keeping the complexity of real code. We intend to support C and Java in SATE VI.
The Ockham criteria track highlights the strengths of sound analyzers. There seems to be a consensus for C. Currently, we are leaning toward using Juliet 1.2.1 and possibly SV-COMP.
The mobile track will focus on between three and four mobile application test cases. For this first foray into the mobile space, we will be focusing on the Android operating system. All test cases will represent full, deployable, mobile applications. One test case in particular will focus on seeding vulnerabilities into a real world, open source, mobile application. While the SATE focuses primarily on static analysis, we invite participants to submit analysis of any and all kinds including dynamic and behavioral analysis. The organizing meeting will provide us with important feedback concerning the direction we take the test cases, so all voices are welcome.
Additional information will be available on the SATE VI website at https://samate.nist.gov/SATE.html
Presentation Slides (PDF)