USA flag logo/image

An Official Website of the United States Government

Prioritization of Weapon System Software Assurance Assessment

Award Information

Agency:
Department of Defense
Branch:
N/A
Award ID:
Program Year/Program:
2011 / SBIR
Agency Tracking Number:
F103-169-1893
Solicitation Year:
2010
Solicitation Topic Code:
AF103-169
Solicitation Number:
2010.3
Small Business Information
GrammaTech, Inc
531 Esty Street Ithaca, NY -
View profile »
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No
 
Phase 1
Fiscal Year: 2011
Title: Prioritization of Weapon System Software Assurance Assessment
Agency: DOD
Contract: FA8650-11-M-1115
Award Amount: $100,000.00
 

Abstract:

The cost and timeliness of weapons-software deployment may benefit from including shareware, freeware, open-source, and COTS components. However, Air Force"s critical, safety-of-flight, and sensitive-data applications require higher assurance than that provided by commercial components. To make their use cost-effective, technical assurance of software quality (and assessment of risk in its deployment) requires automation. Unfortunately, no existing tool captures the broad spectrum of security vulnerabilities that need to be analyzed to assess security risk. Also, precise security-analysis techniques do not scale to today"s software systems. Finally, these techniques generally analyze source code, which precludes evaluating components available as binaries only. We propose a risk-assessment solution based on a hierarchy of analysis techniques that provide varying levels of detail about the analyzed software. The coarser (and computationally cheaper) techniques will provide rough estimates of risk; their answers will inform the choice of finer (and computationally more expensive) techniques that will yield more precise estimates of risk. The proposed solution will provide the ability to analyze binary components, making it applicable to shareware, freeware, and COTS components. Furthermore, it will incorporate a technique for mitigating certain security vulnerabilities, providing a path for accepting a component that is not deemed to be flawless. BENEFIT: Organizations that develop software are looking for ways to manage complexity while reducing development time and cost. Many organizations are making extensive use of open-source, shareware, freeware, and commercial-off-the-shelf (COTS) components. Because few of these components have been developed for use in high-security and high-reliability systems, using them in such environments is problematic. Organizations must assess the quality and security of components, but tool support for this task remains poor. New technology is needed that helps organizations prioritize and perform reviews. The product resulting from this SBIR research will be a suite of tools that helps organizations examine security and reliability properties of software, especially software developed by other parties. The suite will: (i) examine open-source, shareware, freeware, and COTS executables (i.e., binaries) and recommend specific analyses for particular code, based on criticality and risk, (ii) apply a variety of analysis techniques to binary code (and also source code, if available) to pinpoint specific security and reliability problems, and (iii) where possible and appropriate, perform automated vulnerability patching and remediation on codeincluding binary code.

Principal Investigator:

David Cok
VP of Technology
(607) 273-7340
dcok@grammatech.com

Business Contact:

Ray Teitelbaum
CEO
(607) 273-7340
tt@grammatech.com
Small Business Information at Submission:

GrammaTech, Inc
317 N. Aurora Street Ithaca, NY -

EIN/Tax ID: 161338879
DUNS: N/A
Number of Employees:
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No