Prioritization of Weapon System Software Assurance Assessment

Award Information
Agency: Department of Defense
Branch: Air Force
Contract: FA8650-11-M-1115
Agency Tracking Number: F103-169-1893
Amount: $100,000.00
Phase: Phase I
Program: SBIR
Awards Year: 2011
Solicitation Year: 2010
Solicitation Topic Code: AF103-169
Solicitation Number: 2010.3
Small Business Information
317 N. Aurora Street, Ithaca, NY, -
DUNS: 603978321
HUBZone Owned: N
Woman Owned: N
Socially and Economically Disadvantaged: N
Principal Investigator
 David Cok
 VP of Technology
 (607) 273-7340
Business Contact
 Ray Teitelbaum
Title: CEO
Phone: (607) 273-7340
Research Institution
The cost and timeliness of weapons-software deployment may benefit from including shareware, freeware, open-source, and COTS components. However, Air Force"s critical, safety-of-flight, and sensitive-data applications require higher assurance than that provided by commercial components. To make their use cost-effective, technical assurance of software quality (and assessment of risk in its deployment) requires automation. Unfortunately, no existing tool captures the broad spectrum of security vulnerabilities that need to be analyzed to assess security risk. Also, precise security-analysis techniques do not scale to today"s software systems. Finally, these techniques generally analyze source code, which precludes evaluating components available as binaries only. We propose a risk-assessment solution based on a hierarchy of analysis techniques that provide varying levels of detail about the analyzed software. The coarser (and computationally cheaper) techniques will provide rough estimates of risk; their answers will inform the choice of finer (and computationally more expensive) techniques that will yield more precise estimates of risk. The proposed solution will provide the ability to analyze binary components, making it applicable to shareware, freeware, and COTS components. Furthermore, it will incorporate a technique for mitigating certain security vulnerabilities, providing a path for accepting a component that is not deemed to be flawless. BENEFIT: Organizations that develop software are looking for ways to manage complexity while reducing development time and cost. Many organizations are making extensive use of open-source, shareware, freeware, and commercial-off-the-shelf (COTS) components. Because few of these components have been developed for use in high-security and high-reliability systems, using them in such environments is problematic. Organizations must assess the quality and security of components, but tool support for this task remains poor. New technology is needed that helps organizations prioritize and perform reviews. The product resulting from this SBIR research will be a suite of tools that helps organizations examine security and reliability properties of software, especially software developed by other parties. The suite will: (i) examine open-source, shareware, freeware, and COTS executables (i.e., binaries) and recommend specific analyses for particular code, based on criticality and risk, (ii) apply a variety of analysis techniques to binary code (and also source code, if available) to pinpoint specific security and reliability problems, and (iii) where possible and appropriate, perform automated vulnerability patching and remediation on codeincluding binary code.

* Information listed above is at the time of submission. *

Agency Micro-sites

SBA logo
Department of Agriculture logo
Department of Commerce logo
Department of Defense logo
Department of Education logo
Department of Energy logo
Department of Health and Human Services logo
Department of Homeland Security logo
Department of Transportation logo
Environmental Protection Agency logo
National Aeronautics and Space Administration logo
National Science Foundation logo
US Flag An Official Website of the United States Government