NIST computer scientist stresses importance of safety, security in software programming

ADACORE TECH DAYS, BOSTON. “Society has three options: accept failing software, limit the size or authority of software, or learn how to make software that works – which is what we’re all here to do,” says Paul E. Black, a computer scientist in the Software Quality Group, Systems and Software Division, Information Technology Laboratory (ITL), National Institute of Standards and Technology (NIST), U.S. Department of Commerce in Gaithersburg, Maryland. Black opened AdaCore Tech Days, a professional software development workshop – this time held in the Boston area – hosted by AdaCore, a software company centered on helping developers build safe, secure, and reliable software.

Black opened AdaCore Tech Days 2017 in Boston with a discussion of “Formal Methods, Strong Languages, and Other Lessons Learned in Dramatically Reducing Software Vulnerabilities (DRSV).” In the spring of 2016, the White House Office of Science and Technology Policy (OSTP) asked computer scientists in the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, in Gaithersburg, Md., to author a report and include recommendations with the goal of significantly reducing software vulnerabilities across virtually all disciplines. The full report, which Black encourages software engineers to read at least in part, is available online at: https://samate.nist.gov/DRSV2016/.

The report is part of the Federal Cybersecurity Research and Development Strategic Plan, which seeks to alter the dynamics of security, reversing adversaries' asymmetrical advantages. Achieving this reversal is the mid-term goal of the plan, which calls for "sustainably secure systems development and operation." Part of the mid-term, three- to seven-year goal is "the design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities" and reduce the number of vulnerabilities in software by orders of magnitude.

“We can create software with 100 times fewer vulnerabilities than we do today,” say NIST computer scientists, who recommend coders adopt the approaches they have compiled in the 60-page NIST Interagency Report (NISTIR) 8151: Dramatically Reducing Software Vulnerabilities. The report is a collection of strategies gathered from across industry and other sources for reducing bugs in software. While the report is officially a response to a request for methods from the White House’s Office of Science and Technology Policy, NIST Computer Scientist and co-author of the report Paul E. Black says its contents will help any organization that seeks to author high-quality, low-defect computer code.

Black and his NIST colleagues compiled these ideas while working with software assurance experts from many private companies in the computer industry as well as several government agencies that generate a good deal of code, including the Department of Defense and NASA.

Vulnerabilities are common in software; in fact, even small applications have hundreds of bugs by some estimates, NIST officials say. Lowering these numbers would bring many advantages, such as reducing the number of computer crashes and reboots users need to deal with, not to mention decreasing the number of patch updates they need to download and thwarting those who seek to exploit weaknesses and vulnerabilities in software.

Black and his NIST colleagues recommend approaches such as: using math-based tools to verify the code will work properly; breaking up a computer’s programs into modular parts so that if one part fails, the whole program doesn’t crash; connecting analysis tools for code that currently operate in isolation; using appropriate programming languages for the task that the code attempts to carry out; and developing evolving and changing tactics for protecting code that is the target of cyberattacks.

The DRSV report covers vulnerabilities – i.e., exploitable weaknesses – in new and existing code and focuses on technical approaches that can have a dramatic impact in the three- to seven-year timeframe. It doesn’t include operator errors, malware or malfeasance, functional bugs, hardware, and development process, nor is it an encyclopedia of techniques or a list of best or recommended practices.

The DRSV report is organized in five areas:

· Formal methods

· System level security

· Additive software analysis

· Software development frameworks

· Moving target and software

During his DRSV discussion at AdaCore Tech Days in Boston, Black stressed the following recommendations.

Cyber retrofitting is growing in popularity. “You can’t rework all existing code; instead, identify key components. If you have a new attack or new problem or inherited something from someone, you can’t rework all the code,” Black says. “You have to rework components. Recompiling with a strong compiler adds in better components and often can get you where you need to be sooner and at a lower cost.”

Model checkers, SAT Solvers, and the like can be useful. They can crawl through combinations of attack paths, and show you if any are possible, says Black, who is seeing lightweight decision algorithms used in far more areas. “They are orders of magnitude more advanced than they used to be.”

Containers, which are lightweight virtual machines, don’t have all the containment of a virtual machine, but it is feasible to launch a container to perform a request and then discard it. Similarly, microservices can be a good way to achieve system-level security.

A framework for software testing and assurance ties tools together with standard outputs and various information to achieve analysis power not feasible before, Black describes, and makes it tougher for weaknesses to be exploited.

In the end, software assurance comes from three places, Black says.

Gaining software assurance: A =f(p,s,e) where p is assurance from good process, s is assurance from analysis (testing, review, etc.), and e is assurance from execution.

“If you’re using two tools, and most tools are complementary and find different things, it is easier using a common format,” Black says, citing the Static Analysis Results Interchange Format (SARIF).

“Formal methods relies on mathematical models and reasoning. Other approaches are empirical,” Black adds.

Black also stresses:

We should be using higher-level languages, and using assertions, pre and post conditions, and invariants to express what is really going on.

Reuse usually doesn’t work.

Use formal methods wisely; it doesn’t answer questions you don’t ask; be sure assumptions, limitations, and sensitivities are justified.
Society has three options: accept failing software, limit size or authority of software, or learn how to make software that works – “and that’s what we’re all here [at AdaCore Tech Days and beyond] to do,” Black says.

NIST is also advancing the field through: funding research, challenges, prizes; National Initiative for Cybersecurity Education (NICE); and technology transfer through standards and repositories, and references for reading more.

Dr. Black began his Ph.D. at UC Berkeley, then transferred to Brigham Young University where he graduated in 1998. He has taught classes at Brigham Young University and Johns Hopkins University. Dr. Black has published in the areas of static analysis, software testing, software configuration control, networks and queuing analysis, formal methods, software verification, quantum computing, and computer forensics.

Software/Hardware Experience:

Programming Languages: C, Perl, Java, Python, Pascal, C++, Lisp, Fortran, RPG II, Assembler, and Forth
Operating Systems: Linux, UNIX, Microsoft Windows, and VAX/VMS
Computers: Pentium, Sun, DEC VAX, IBM System 3, and Intel 80x86

Publications:

For a complete listing of Mr. Black's publications, see: http://hissa.nist.gov/~black/Papers/

Professional Societies:

· Association for Computing Machinery(link is external)

· Institute of Electrical and Electronics Engineers(link is external), Senior Member

· IEEE Computer Society(link is external)

Awards:

U.S. Department of Commerce Bronze Medal for leadership in the development of software assurance test methods and reference data, December 2013.

Best Project Chief Certificate for extensive knowledge, hard work, and loyalty to the team members of SAMATE, September 2006.

ITL Outstanding Authorship Award in recognition of his publication, "Quantum Computing and Communications", September 2003.

Search the Aerospace & Defense Buyer's Guide

Intelligent Aerospace, the global aerospace technology network, reports on the latest tools, technologies, and trends of vital importance to aerospace professionals throughout the industry and around the globe, including engineers, engineering managers, and other key decision-makers involved in the research & development, design, test, manufacture, maintenance, upgrade and retrofit, management, and acquisition of electronics hardware and software components, tools, and systems for commercial and military fixed-wing, rotor-wing, and unmanned aircraft, air traffic control, airport operations, satellites, and space.