U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Paul E. Black (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 26 - 50 of 90

SATE V Ockham Sound Analysis Criteria

March 22, 2016
Author(s)
Paul E. Black, Athos Ribeiro
Static analyzers examine the source or executable code of programs to find problems. Many static analyzers use some heuristics or approximations to handle programs up to millions of lines of codes. We established the Ockham Sound Analysis Criteria to

A Rational Foundation for Software Metrology

January 20, 2016
Author(s)
David W. Flater, Paul E. Black, Elizabeth N. Fong, Raghu N. Kacker, Vadim Okun, Stephen S. Wood, David R. Kuhn
Much software research and practice involves ostensible measurements of software, yet little progress has been made on an SI-like metrological foundation for those measurements since the work of Gray, Hogan, et al. in 1996-2001. Given a physical object

Towards a “Periodic Table” of Bugs

June 19, 2015
Author(s)
Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu
High-confidence systems must not be vulnerable to attacks that reduce the security, reliability, or availability of the system as a whole. One collection of vulnerabilities is the Common Weakness Enumeration (CWE). It represents a considerable community

Test Generation Using Model Checking and Specification Mutation

November 22, 2013
Author(s)
Paul E. Black
Although building quality into software is paramount, professionals find that testing is necessary to assure that the system will operate as desired. Developing tests can take significant resources. In 1998 NIST showed how tests can be automatically

Report on the Metrics and Standards for Software Testing (MaSST) Workshop 2012

April 22, 2013
Author(s)
Paul E. Black, Elizabeth N. Fong
The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project conducted a workshop on Metrics and Standards for Software Testing (MaSST) on June 20, 2012. This workshop was co-located with the IEEE Sixth International Conference on Software

A Basic CWE-121 Buffer Overflow Effectiveness Test Suite

April 1, 2013
Author(s)
Paul E. Black, Hsiao-Ming M. Koo, Thomas F. Irish
Phase 3 of MITRE's Common Weakness Enumeration (CWE) Compatibility and Effectiveness program allows a customer to understand how effective a software assurance tool is at finding weaknesses and what code complexities it handles. Phase 3 is based on suites

Report on the Static Analysis Tool Exposition (SATE) IV

February 4, 2013
Author(s)
Vadim Okun, Aurelien M. Delaitre, Paul E. Black
The NIST SAMATE project conducted the fourth Static Analysis Tool Exposition (SATE IV) to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test sets

The New Golden Age of Algorithms and Data Structures

October 29, 2012
Author(s)
Paul E. Black
Before 1976 Communications of the ACM printed (and numbered!) new algorithms every issue. Quicksort was invented in 1960, Boyer-Moore string search in 1977, and combsort in 1980. I haven't seen a new, general sorting algorithm in over a decade. The latest

The Juliet 1.1 C/C++ and Java Test Suite

October 1, 2012
Author(s)
Frederick E. Boland Jr., Paul E. Black
The Juliet Test Suite 1.1 is a collection of over 81,000 synthetic C/C++ and Java programs with known flaws. These programs are useful as test cases for testing the effectiveness of static analyzers and other software assurance tools, and are in the public

Report on the Third Static Analysis Tool Exposition (SATE 2010)

October 27, 2011
Author(s)
Vadim Okun, Paul E. Black, Aurelien M. Delaitre
The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project conducted the third Static Analysis Tool Exposition (SATE) in 2010 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were

Counting Bugs is Harder Than You Think

October 20, 2011
Author(s)
Paul E. Black
Software Assurance Metrics And Tool Evaluation (SAMATE) is a broad, inclusive project at the U.S. National Institute of Standards and Technology (NIST) with the goal of improving software assurance by developing materials, specifications, and methods to

NIST SP 500-268, Source Code Security Analysis Tool Function Specification Version 1.1

February 28, 2011
Author(s)
Elizabeth N. Fong, Paul E. Black, Michael J. Kass, Hsiao-Ming M. Koo
Software assurance tools are a fundamental resource to improve assurance in today's software applications. Some tools analyze software requirements or design models to help determine if an application is secure. Others analyze source code or executables

The Second Static Analysis Tool Exposition (SATE) 2009

July 2, 2010
Author(s)
Vadim Okun, Paul E. Black, Aurelien M. Delaitre
The NIST SAMATE project conducted the second Static Analysis Tool Exposition (SATE) in 2009 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test

Static Analysis Tool Exposition (SATE) 2008

June 22, 2009
Author(s)
Vadim Okun, Romain Gaucher, Paul E. Black
The NIST SAMATE project conducted the first Static Analysis Tool Exposition (SATE) in 2008 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test

Cyber Security Metrics and Measures

March 2, 2009
Author(s)
Paul E. Black, Karen A. Scarfone, Murugiah P. Souppaya
Metrics are tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance

Static Analyzers in Software Engineering

March 2, 2009
Author(s)
Paul E. Black
Static analyzers can report possible problems in code and help reinforce good practices of developers. We contrast the strengths of static analyzers with testing and indicate the current state of the art.

Proceedings of the Static Analysis Workshop (SAW 2008)

June 12, 2008
Author(s)
Paul E. Black, Elizabeth N. Fong
Static Analysis Workshop (SAW 2008) was held on June 12, 2008 in Tucson, Arizona and was co-located with ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (PLDI 2008). This workshop followed Static Analysis Summit, held in 2006

Proceedings of Static Analysis Summit II

April 1, 2008
Author(s)
Paul E. Black, Elizabeth N. Fong
Static Analysis Summit II was held 8 and 9 November 2007. The workshop had a keynote address by Professor William Pugh, paper presentations, discussion sessions, a panel on Obfuscation Versus Analysis Who Will Win? , and a new technology demonstration fair

Building a Test Suite for Web Application Scanners

January 7, 2008
Author(s)
Elizabeth N. Fong, Romain Gaucher, Vadim Okun, Paul E. Black, Eric Dalci
This paper describes the design of a test suite for thorough evaluation of web application scanners. Web application scanners are automated, black-box testing tools that examine web applications for security vulnerabilities. For several common

Effect of Static Analysis Tools on Software Security: Preliminary Investigation

October 29, 2007
Author(s)
Vadim Okun, William F. Guthrie, Romain Gaucher, Paul E. Black
Static analysis tools can handle large-scale software and find thousands of defects. But do they improve software security? We evaluate the effect of static analysis tool use on software security in open source projects. We measure security by