Prioritization of Weapon System Software Assurance Assessment

Award Information
Agency:
Department of Defense
Branch
n/a
Amount:
$100,000.00
Award Year:
2011
Program:
SBIR
Phase:
Phase I
Contract:
FA8650-11-M-1115
Award Id:
n/a
Agency Tracking Number:
F103-169-1893
Solicitation Year:
2010
Solicitation Topic Code:
AF103-169
Solicitation Number:
2010.3
Small Business Information
317 N. Aurora Street, Ithaca, NY, -
Hubzone Owned:
N
Minority Owned:
N
Woman Owned:
N
Duns:
603978321
Principal Investigator:
David Cok
VP of Technology
(607) 273-7340
dcok@grammatech.com
Business Contact:
Ray Teitelbaum
CEO
(607) 273-7340
tt@grammatech.com
Research Institution:
Stub




Abstract
The cost and timeliness of weapons-software deployment may benefit from including shareware, freeware, open-source, and COTS components. However, Air Force"s critical, safety-of-flight, and sensitive-data applications require higher assurance than that provided by commercial components. To make their use cost-effective, technical assurance of software quality (and assessment of risk in its deployment) requires automation. Unfortunately, no existing tool captures the broad spectrum of security vulnerabilities that need to be analyzed to assess security risk. Also, precise security-analysis techniques do not scale to today"s software systems. Finally, these techniques generally analyze source code, which precludes evaluating components available as binaries only. We propose a risk-assessment solution based on a hierarchy of analysis techniques that provide varying levels of detail about the analyzed software. The coarser (and computationally cheaper) techniques will provide rough estimates of risk; their answers will inform the choice of finer (and computationally more expensive) techniques that will yield more precise estimates of risk. The proposed solution will provide the ability to analyze binary components, making it applicable to shareware, freeware, and COTS components. Furthermore, it will incorporate a technique for mitigating certain security vulnerabilities, providing a path for accepting a component that is not deemed to be flawless. BENEFIT: Organizations that develop software are looking for ways to manage complexity while reducing development time and cost. Many organizations are making extensive use of open-source, shareware, freeware, and commercial-off-the-shelf (COTS) components. Because few of these components have been developed for use in high-security and high-reliability systems, using them in such environments is problematic. Organizations must assess the quality and security of components, but tool support for this task remains poor. New technology is needed that helps organizations prioritize and perform reviews. The product resulting from this SBIR research will be a suite of tools that helps organizations examine security and reliability properties of software, especially software developed by other parties. The suite will: (i) examine open-source, shareware, freeware, and COTS executables (i.e., binaries) and recommend specific analyses for particular code, based on criticality and risk, (ii) apply a variety of analysis techniques to binary code (and also source code, if available) to pinpoint specific security and reliability problems, and (iii) where possible and appropriate, perform automated vulnerability patching and remediation on codeincluding binary code.

* information listed above is at the time of submission.

Agency Micro-sites


SBA logo

Department of Agriculture logo

Department of Commerce logo

Department of Defense logo

Department of Education logo

Department of Energy logo

Department of Health and Human Services logo

Department of Homeland Security logo

Department of Transportation logo

Enviromental Protection Agency logo

National Aeronautics and Space Administration logo

National Science Foundation logo
US Flag An Official Website of the United States Government