Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Paul E. Black (Assoc)

Displaying 1 - 25 of 180

Software Metrics: Impossible, but Doable

January 22, 2025

Author(s)

Paul Black

Software metrics are theoretically impossible. However, there is tremendous benefit if we can assess properties of computerized systems. We review the elements that make it hard to computerized systems, in contrast with Civil Engineering or physical

Reliability in Building Blocks for Secure Software

December 5, 2024

Author(s)

Paul Black

In February 2024 the U.S. White House Office of the National Cyber Director (ONCD) released "Back to the Building Blocks: A Path Toward Secure and Measurable Software.'' The report makes the case that the technical community can greatly improve

Report on Secure Hardware Assurance Reference Dataset (SHARD) Program

October 1, 2024

Author(s)

Paul E. Black, Vadim Okun

Significant vulnerabilities have been found in chips. Computer programs and methods have been developed to prevent, find, and mitigate them. We proposed Secure Hardware Assurance Reference Dataset (SHARD) as a repository of reference examples (test cases)

Vulnerability Test Suite Generator (VTSG) Version 3

October 13, 2023

Author(s)

Paul E. Black, William Mentzer, Elizabeth Fong, Bertrand Stivalet

The Vulnerability Test Suite Generator (VTSG) Version 3 can create vast numbers of synthetic programs with and without specific flaws or vulnerabilities. Such programs are useful for measuring static analysis tools. VTSG was designed by the Software

SATE VI Report: Bug Injection and Collection

June 14, 2023

Author(s)

Aurelien Delaitre, Paul E. Black, Damien Cupif, Guillaume Haben, Loembe Alex-Kevin, Vadim Okun, Yann Prono, Aurelien Delaitre

The SATE VI report presents the results of a security-focused bug finding evaluation exercise carried out from 2018 to 2023 on various code bases using static analysis tools. Existing bugs were extracted from bug tracker reports and the CVE/NVD database

Impact of Code Complexity On Software Analysis

February 23, 2023

Author(s)

Charles D. De Oliveira, Elizabeth Fong, Paul E. Black

The Software Assurance Metrics and Tool Evaluation (SAMATE) team studied thousands of warnings from static analyzers. Tools have difficulty distinguishing between the absence of a weakness and the presence of a weakness that is buried in otherwise

A Historical Note on Shell Sort, Bresenham's Algorithm, and the Chinese Postman Problem

May 6, 2022

Author(s)

Paul E. Black

These are historical notes, from those involved, on the names and origins of Shell sort, Bresenham's Algorithm, and the Chinese Postman Problem.

Guidelines on Minimum Standards for Developer Verification of Software

October 6, 2021

Author(s)

Paul E. Black, Vadim Okun, Barbara Guttman

Executive Order (EO) 14028, Improving the Nation's Cybersecurity, 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven

Algorithms and Data Structures for New Models of Computation

February 1, 2021

Author(s)

Paul E. Black, David W. Flater, Irena Bojanova

In the early days of computer science, the community settled on a simple standard model of computing and a basic canon of general purpose algorithms and data structures suited to that model. With isochronous computing, heterogeneous multiprocessors, flash

DADS: The On-Line Dictionary of Algorithms and Data Structures

September 17, 2020

Author(s)

Paul E. Black

The Dictionary of Algorithms and Data Structures (DADS) is a publicly accessible dictionary of generally useful algorithms, data structures, algorithmic techniques, archetypal problems, and related definitions available at https://nist.gov/DADS/. DADS is

SATE VI Ockham Sound Analysis Criteria

May 19, 2020

Author(s)

Paul E. Black, Kanwardeep S. Walia

Static analyzers examine the source or executable code of programs to find problems. Many static analyzers use heuristics or approximations to examine programs with millions of lines of code for hundreds of classes of problems. The Ockham Sound Analysis

Static Analyzers: Seat Belts for Your Code

April 17, 2020

Author(s)

Paul E. Black

Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned

Opaque Wrappers and Patching: Negative Results

November 21, 2019

Author(s)

Paul E. Black, Monika Singh

When a patch is released for buggy software, bad actors may be able to analyze the patch and create an attack on unpatched machines. A wrapper could block attacking inputs, but it, too, gives attackers critical information. An opaque wrapper hides such

Formal Methods for Statistical Software

October 4, 2019

Author(s)

Paul E. Black

"Statistical software" encompasses several distinct classes of software. This report explains what formal methods, tools, and approaches may be able to increase assurance of results of using statistical software and implementing differential privacy. To

Information Exposure (IEX): A New Class in the Bugs Framework (BF)

July 9, 2019

Author(s)

Irena Bojanova, Yaacov Yesha, Paul E. Black, Yan Wu

Exposure of sensitive information can be harmful on its own and in addition could enable further attacks. A rigorous and unambiguous definition of information exposure faults can help researchers and practitioners identify them, thus avoiding security