Prioritization of Weapon System Software Assurance Assessment

Award Information
Agency: Department of Defense
Branch: Air Force
Contract: FA8650-12-C-1349
Agency Tracking Number: F103-169-1893
Amount: $750,000.00
Phase: Phase II
Program: SBIR
Awards Year: 2012
Solicitation Year: 2010
Solicitation Topic Code: AF103-169
Solicitation Number: 2010.3
Small Business Information
GrammaTech, Inc
317 N. Aurora Street, Ithaca, NY, -
DUNS: 603978321
HUBZone Owned: N
Woman Owned: N
Socially and Economically Disadvantaged: N
Principal Investigator
 David Cok
 VP of Research
 (607) 273-7340
Business Contact
 Derek Burrows
Title: Contracts Manager
Phone: (607) 273-7340
Research Institution
ABSTRACT: The Air Force, other government organizations, and security-critical software development companies could be more cost-effective by using COTS and open-source software in their information and weapons systems. However, these software sources have significant safety and security risks; the software must be carefully assessed and certified prior to use. Due diligence requires even contracted software to be carefully assessed for safety and security risks. We propose to build an assessment process that combines screening tools and existing detailed analysis tools. The result will be a tool-supported assessment process that enables software assessors to prioritize their detailed analysis efforts, that incorporates security policies in the assessment, and that unifies all the artifacts from human and automated reviews. The proposed tools will solve key challenges such as prioritizing assessment efforts, relating coarse screening results to fine-grained risks, creating assessment tools that accurately predict levels of risk, and auditing tools that can usefully summarize results from disparate automated tools. Organizations responsible for assessments will benefit from a more efficient assessment process, an integrated but extensible set of tools for assessments, and higher confidence in the end result. BENEFIT: A process and tools for assessing the safety and security aspects of executable binaries is useful for any organization that is concerned about the quality of its software and protecting the information it holds. However, military organizations and companies that supply military software have a particularly strong concern for software security. It is known that hostile actors are targeting high-profile and high-value miltary targets. In addition, safety and correctness of software is also important. Faults in embedded software (e.g. weapons systems) can have grave consequences; even faults in desktop systems can lead to inaccurate information or delayed responses in critical situations. Commercial companies have corresponding conerns. Security breaches are highly costly and detrimental to a company's business. Safety errors in code can create major liabilities for the company and risks to human life. Thus military and commercial companies would benefit from the tools proposed here: unified assessment processes that enable documented, prioritized software assessments of safety and security risks; adherence to stated security policies; and an integrated set of detailed automatic assessment tools.

* information listed above is at the time of submission.

Agency Micro-sites

SBA logo
Department of Agriculture logo
Department of Commerce logo
Department of Defense logo
Department of Education logo
Department of Energy logo
Department of Health and Human Services logo
Department of Homeland Security logo
Department of Transportation logo
Environmental Protection Agency logo
National Aeronautics and Space Administration logo
National Science Foundation logo
US Flag An Official Website of the United States Government