Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Vadim Okun (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 1 - 25 of 27

Report on Secure Hardware Assurance Reference Dataset (SHARD) Program

October 1, 2024
Author(s)
Paul E. Black, Vadim Okun
Significant vulnerabilities have been found in chips. Computer programs and methods have been developed to prevent, find, and mitigate them. We proposed Secure Hardware Assurance Reference Dataset (SHARD) as a repository of reference examples (test cases)

SATE VI Report: Bug Injection and Collection

June 14, 2023
Author(s)
Aurelien Delaitre, Paul E. Black, Damien Cupif, Guillaume Haben, Loembe Alex-Kevin, Vadim Okun, Yann Prono, Aurelien Delaitre
The SATE VI report presents the results of a security-focused bug finding evaluation exercise carried out from 2018 to 2023 on various code bases using static analysis tools. Existing bugs were extracted from bug tracker reports and the CVE/NVD database

Guidelines on Minimum Standards for Developer Verification of Software

October 6, 2021
Author(s)
Paul E. Black, Vadim Okun, Barbara Guttman
Executive Order (EO) 14028, Improving the Nation's Cybersecurity, 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven

SATE V Report: Ten Years of Static Analysis Tool Expositions

October 23, 2018
Author(s)
Aurelien M. Delaitre, Bertrand C. Stivalet, Paul E. Black, Vadim Okun, Terry S. Cohen, Athos Ribeiro
Software assurance has been the focus of the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) team for many years.The Static Analysis Tool Exposition (SATE) is one of the team’s prominent

Improving Software Assurance through Static Analysis Tool Expositions

October 31, 2017
Author(s)
Terry S. Cohen, Damien J. Cupif, Aurelien M. Delaitre, Charles Daniel De Oliveira, Elizabeth N. Fong, Vadim Okun
Multiple techniques and tools prove effective for software assurance. One technique that has grown in acceptance since the early 2000s is static analysis, which examines software for weaknesses without executing it. The National Institute of Standards and

A Rational Foundation for Software Metrology

January 20, 2016
Author(s)
David W. Flater, Paul E. Black, Elizabeth N. Fong, Raghu N. Kacker, Vadim Okun, Stephen S. Wood, David R. Kuhn
Much software research and practice involves ostensible measurements of software, yet little progress has been made on an SI-like metrological foundation for those measurements since the work of Gray, Hogan, et al. in 1996-2001. Given a physical object

Evaluating Bug Finders: Test and Measurement of Static Code Analyzers

May 23, 2015
Author(s)
Aurelien M. Delaitre, Bertrand C. Stivalet, Elizabeth N. Fong, Vadim Okun
Software static analysis is one of many options for finding bugs in software. Like compilers, static analyzers take a program as input. This paper covers tools that examine source code--without executing it--and output bug reports. Static analysis is a

Fuzz Testing for Software Assurance

March 1, 2015
Author(s)
Vadim Okun, Elizabeth N. Fong
Fuzz Testing, or fuzzing, is a software testing technique that involves providing invalid, unexpected, or random test inputs to the software system under test. The system is then monitored for crashes and other undesirable behavior. Fuzz testing can be

Of Massive Static Analysis Data

June 20, 2013
Author(s)
Aurelien M. Delaitre, Vadim Okun, Elizabeth N. Fong
Static analysis produces large amounts of data. The volume of data allows for new developments in research. Practical observations of the effectiveness of static analysis tools can be derived from that data. The question of tool statistical independence

Report on the Static Analysis Tool Exposition (SATE) IV

February 4, 2013
Author(s)
Vadim Okun, Aurelien M. Delaitre, Paul E. Black
The NIST SAMATE project conducted the fourth Static Analysis Tool Exposition (SATE IV) to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test sets

Report on the Third Static Analysis Tool Exposition (SATE 2010)

October 27, 2011
Author(s)
Vadim Okun, Paul E. Black, Aurelien M. Delaitre
The NIST Software Assurance Metrics And Tool Evaluation (SAMATE) project conducted the third Static Analysis Tool Exposition (SATE) in 2010 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were

The Second Static Analysis Tool Exposition (SATE) 2009

July 2, 2010
Author(s)
Vadim Okun, Paul E. Black, Aurelien M. Delaitre
The NIST SAMATE project conducted the second Static Analysis Tool Exposition (SATE) in 2009 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test

Static Analysis Tool Exposition (SATE) 2008

June 22, 2009
Author(s)
Vadim Okun, Romain Gaucher, Paul E. Black
The NIST SAMATE project conducted the first Static Analysis Tool Exposition (SATE) in 2008 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test

Building a Test Suite for Web Application Scanners

January 7, 2008
Author(s)
Elizabeth N. Fong, Romain Gaucher, Vadim Okun, Paul E. Black, Eric Dalci
This paper describes the design of a test suite for thorough evaluation of web application scanners. Web application scanners are automated, black-box testing tools that examine web applications for security vulnerabilities. For several common

IPOG/IPOG-D: Efficient Test Generation for Multi-way Combinatorial Testing

November 29, 2007
Author(s)
Yu Lei, Raghu N. Kacker, D. Richard Kuhn, Vadim Okun, James F. Lawrence
We present two strategies for multi-way testing (i.e., t-way testing with t > 2). The first strategy generalizes an existing strategy, called In-Parameter-Order, from pairwise testing to multi-way testing. This strategy requires all t-way combinations to

Effect of Static Analysis Tools on Software Security: Preliminary Investigation

October 29, 2007
Author(s)
Vadim Okun, William F. Guthrie, Romain Gaucher, Paul E. Black
Static analysis tools can handle large-scale software and find thousands of defects. But do they improve software security? We evaluate the effect of static analysis tool use on software security in open source projects. We measure security by

Web Application Scanners: Definitions and Functions

August 1, 2007
Author(s)
Elizabeth N. Fong, Vadim Okun
There are many commercial software security assurance tools that claim to detect and prevent vulnerabilities in application software. However, a closer look at the tools often leaves one wondering which tools find what flaws? This paper identifies a

IPOG: A General Strategy for t-Way Software Testing

March 29, 2007
Author(s)
Yu Lei, Raghu N. Kacker, D. Richard Kuhn, Vadim Okun, James F. Lawrence
Most existing work on t-way testing has focused on 2-way (or pairwise) testing, which aims to detect faults caused by interactions between any two parameters. However, faults can also be caused by interactions involving more than two parameters. In this

Web Application Scanners: Definitions and Functions

January 3, 2007
Author(s)
Elizabeth N. Fong, Vadim Okun
There are many commercial software security assurance tools that claim to detect and prevent vulnerabilities in application software. However, a closer look at the tools often leaves one wondering which tools find what flaws? This paper identifies a

Pseudo-Exhaustive Testing for Software

April 28, 2006
Author(s)
David R. Kuhn, Vadim Okun
Pseudo-exhaustive testing uses the empirical observation that, for broad classes of software, a fault is likely triggered by only a few variables interacting. The method takes advantage of two relatively recent advances in software engineering: algorithms

Comparison of Fault Classes in Specification-Based Testing

June 1, 2004
Author(s)
Vadim Okun, Paul E. Black, Y Yesha
Our results extending Kuhn's fault class hierarchy provide a justification for the focus of fault-based testing strategies on detecting particular faults and ignoring others. We develop a novel analytical technique that allows us to elegantly prove that

Fault Classes and Fault Coupling in Boolean Specifications

June 1, 2004
Author(s)
Vadim Okun, Paul E. Black, Y Yesha
ult-based testing strategies generate tests to detect faults belonging to a preselected set of simple fault classes. A hierarchy of fault classes and the infrequency of fault coupling let us rely on these strategies to detect many other faults, too.For

Testing with Model Checker: Insuring Fault Visibility

January 5, 2003
Author(s)
Vadim Okun, Paul E. Black, Yelena Yesha
To detect a fault in software, a test case execution must be chosen so intermediate errors propagate to the output. We describe two modeling methods for specification-based mutation testing using model checkers that guarantee this propagation. We evaluate