Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Paul E. Black (Assoc)

Displaying 26 - 50 of 180

SATE V Report: Ten Years of Static Analysis Tool Expositions

October 23, 2018

Author(s)

Aurelien M. Delaitre, Bertrand C. Stivalet, Paul E. Black, Vadim Okun, Terry S. Cohen, Athos Ribeiro

Software assurance has been the focus of the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) team for many years.The Static Analysis Tool Exposition (SATE) is one of the teams prominent

Randomness Classes in Bugs Framework (BF): True-Random Number Bugs (TRN) and Pseudo-Random Number Bugs (PRN)

July 22, 2018

Author(s)

Irena Bojanova, Yaacov Yesha, Paul E. Black

Random number generators may have weaknesses (bugs) and the applications using them may become vulnerable to attacks. Formalization of randomness bugs would help researchers and practitioners identify them and avoid security failures. The Bugs Framework

Juliet 1.3 Test Suite: Changes From 1.2

June 14, 2018

Author(s)

Paul E. Black

The Juliet test suite is a systematic set of thousands of small test programs in C/C++ and Java exhibiting over 100 classes of errors, such as buffer overflow, OS injection, hardcoded password, absolute path traversal, NULL pointer dereference, uncaught

A Software Assurance Reference Dataset: Thousands of Programs With Known Bugs

April 16, 2018

Author(s)

Paul E. Black

The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs. The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injection, cross-site

Cryptography Classes in Bugs Framework (BF): Encryption Bugs (ENC), Verification Bugs (VRF), and Key Management Bugs (KMN)

December 25, 2017

Author(s)

Irena Bojanova, Paul E. Black, Yaacov Yesha

Abstract—Accurate, precise, and unambiguous definitions of software weaknesses (bugs) and clear descriptions of software vulnerabilities are vital for building the foundations of cybersecurity. The Bugs Framework (BF) comprises rigorous definitions and

SARD: Thousands of Reference Programs for Software Assurance

October 31, 2017

Author(s)

Paul E. Black

A corpus of computer programs with known bugs is useful in determining the ability of tools to find bugs. This article describes the content of NIST's Software Assurance Reference Dataset (SARD), which is a publicly available collection of thousands of

SATE VI Ockham Sound Analysis Criteria

July 11, 2017

Author(s)

Paul E. Black

In preparation for SATE VI, we present our current thoughts on the Ockham Sound Analysis Criteria track. First, we explain the purpose of the Ockham track and define some terms, such as "sound", "finding", and "site". Then we present the general flow for

Impact of Code Complexity On Software Analysis

February 9, 2017

Author(s)

Charles Daniel De Oliveira, Elizabeth N. Fong, Paul E. Black

The Software Assurance Metrics and Tool Evaluation (SAMATE) team evaluated approximately 800 000 warnings from static analyzers.We learned that elements that we call code complexities make the detection of warnings more difficult. Most tools cannot not

Dramatically Reducing Software Vulnerabilities

January 18, 2017

Author(s)

Paul E. Black, Larry Feldman, Gregory A. Witte

This bulletin summarized the information presented in NISTIR 8151: Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy. The publication starts by describing well known security risks and

Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy

December 1, 2016

Author(s)

Paul E. Black, Mark L. Badger, Barbara Guttman, Elizabeth N. Fong

The call for a dramatic reduction in software vulnerability is heard from multiple sources, recently from the February 2016 Federal Cybersecurity Research and Development Strategic Plan. This plan starts by describing well known risks: current systems

Report of the Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM- RSV).

November 10, 2016

Author(s)

Paul E. Black, Elizabeth N. Fong

The National Institute of Standards and Technology (NIST) workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM-RSV) was held on July 12, 2016. The goal of this workshop is to gather ideas on how the Federal Government can

Report of workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM-RSV)

November 1, 2016

Author(s)

Paul Black

The workshop occurred on 12 July 2016 at National Institute of Standards and Technology (NIST). The workshop's object was software as a product. 20 position statements were submitted; 10 were accepted. Over 90 people attended, primarily dealing with the

Defeating Buffer Overflow: One of the Most Trivial and Dangerous Bugs of All!

October 31, 2016

Author(s)

Paul E. Black, Irena Bojanova

The C programming language was invented over 40 years ago. It is infamous for buffer overflows. We have learned a lot about computer science, language design, and software engineering since then. As it is unlikely that we will stop using C any time soon