Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Paul E. Black (Assoc)

Displaying 51 - 75 of 180

The Bugs Framework (BF): A Structured Approach to Express Bugs

October 13, 2016

Author(s)

Irena Bojanova, Paul E. Black, Yaacov Yesha, Yan Wu

To achieve higher levels of assurance for digital systems, we need to answer questions such as, does this software have bugs of these critical classes? Do these two tools generally find the same set of bugs, or different, complimentary sets? Can we

They Know Your Weaknesses  Do You?: Reintroducing Common Weakness Enumeration

May 1, 2016

Author(s)

Yan Wu, Yaacov Yesha, Irena Bojanova, Paul E. Black

Knowing what makes your software systems vulnerable to attacks will be exceptionally critical in the emerging future of interdependent clouds, cyber-physical systems, mobile apps, and big data sets. The Common Weakness Enumeration (CWE) is a respectable

SATE V Ockham Sound Analysis Criteria

March 22, 2016

Author(s)

Paul E. Black, Athos Ribeiro

Static analyzers examine the source or executable code of programs to find problems. Many static analyzers use some heuristics or approximations to handle programs up to millions of lines of codes. We established the Ockham Sound Analysis Criteria to

A Rational Foundation for Software Metrology

January 20, 2016

Author(s)

David W. Flater, Paul E. Black, Elizabeth N. Fong, Raghu N. Kacker, Vadim Okun, Stephen S. Wood, David R. Kuhn

Much software research and practice involves ostensible measurements of software, yet little progress has been made on an SI-like metrological foundation for those measurements since the work of Gray, Hogan, et al. in 1996-2001. Given a physical object

Towards a Periodic Table of Bugs

June 19, 2015

Author(s)

Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu

High-confidence systems must not be vulnerable to attacks that reduce the security, reliability, or availability of the system as a whole. One collection of vulnerabilities is the Common Weakness Enumeration (CWE). It represents a considerable community

SATE V Ockham Sound Analysis Criteria

March 14, 2014

Author(s)

Paul E. Black

Test Generation Using Model Checking and Specification Mutation

November 22, 2013

Author(s)

Paul E. Black

Although building quality into software is paramount, professionals find that testing is necessary to assure that the system will operate as desired. Developing tests can take significant resources. In 1998 NIST showed how tests can be automatically

Report on the Metrics and Standards for Software Testing (MaSST) Workshop 2012

April 22, 2013

Author(s)

Paul E. Black, Elizabeth N. Fong

The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project conducted a workshop on Metrics and Standards for Software Testing (MaSST) on June 20, 2012. This workshop was co-located with the IEEE Sixth International Conference on Software

A Basic CWE-121 Buffer Overflow Effectiveness Test Suite

April 1, 2013

Author(s)

Paul E. Black, Hsiao-Ming M. Koo, Thomas F. Irish

Phase 3 of MITRE's Common Weakness Enumeration (CWE) Compatibility and Effectiveness program allows a customer to understand how effective a software assurance tool is at finding weaknesses and what code complexities it handles. Phase 3 is based on suites

Report on the Static Analysis Tool Exposition (SATE) IV

February 4, 2013

Author(s)

Vadim Okun, Aurelien M. Delaitre, Paul E. Black

The NIST SAMATE project conducted the fourth Static Analysis Tool Exposition (SATE IV) to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test sets

The New Golden Age of Algorithms and Data Structures

October 29, 2012

Author(s)

Paul E. Black

Before 1976 Communications of the ACM printed (and numbered!) new algorithms every issue. Quicksort was invented in 1960, Boyer-Moore string search in 1977, and combsort in 1980. I haven't seen a new, general sorting algorithm in over a decade. The latest

The Juliet 1.1 C/C++ and Java Test Suite

October 1, 2012

Author(s)

Frederick E. Boland Jr., Paul E. Black

The Juliet Test Suite 1.1 is a collection of over 81,000 synthetic C/C++ and Java programs with known flaws. These programs are useful as test cases for testing the effectiveness of static analyzers and other software assurance tools, and are in the public

Static Analyzers: Seat Belts for Your Code

January 10, 2012

Author(s)

Paul Black

Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned