PrintPrint

Awards

Topic Information Award/Contract Number Proposal Information Company Performance
Period
Award/Contract
Value
Abstract

H-SB09.2-004
Software Testing and Vulnerability Analysis

N10PC20014 0921066
(FY09.2 Phase I)
Software Assurance Analysis and Visual Analytics

Applied Visions, Inc.
6 Bayview Avenue
Northport, NY 11768-1502

11/01/2009
to
05/15/2010
$99,207.00

Software is a mature discipline, yet more than 98 percent of all PCs have one or more vulnerable programs, and in the US there are 2.7 billion programs open for attack. Efforts to address the problem at the source--during software development--are shockingly inadequate, with many commercial Software Assurance tools focused on detection rather than working to become part of the development process. More effective Software Testing and Vulnerability Analysis is required to identify and remediate vulnerabilities before systems are deployed. The Secure Decisions Division of Applied Visions Inc. proposes to design and develop a Software Assurance Analysis and Visual Analytics system that can be integrated into the Software Development Life Cycle to identify, confirm, and understand weaknesses and vulnerabilities in source code. No single Software Assurance tool is likely to identify all vulnerabilities: we do not propose to develop yet another vulnerability detection method, but to develop a platform for correlating the results of multiple analysis tools. Our approach is to leverage existing tools by providing a framework for linking disparate testing and vulnerability analysis tools, and to provide a visual analytics platform that embeds a mechanism for feedback from human analysis into automated analysis.

H-SB09.2-004
Software Testing and Vulnerability Analysis

N10PC20017 0921090
(FY09.2 Phase I)
Concolic Testing with Metronome

GrammaTech, Inc.
317 N. Aurora Street
Ithaca, NY 14850-4201

11/01/2009
to
05/15/2010
$99,999.99

We propose to build a system that combines novel automatic test generation techniques with state-of-the-art multi-platform continuous integration technology. The proposed system will automatically generate test data by using a combination of symbolic and concrete executions to intelligently explore the space of inputs. The continuous integration technology will enable the system to detect defects very early in the development cycle.

H-SB09.2-004
Software Testing and Vulnerability Analysis

N10PC20004 0921091
(FY09.2 Phase I)
CodeSonar with Metronome

GrammaTech, Inc.
317 N. Aurora Street
Ithaca, NY 14850-4201

11/01/2009
to
05/15/2010
$99,999.99

The current generation of advanced static-analysis tools find vulnerabilities by exploring all possible executions of a program as configured for a single platform. The next quantum leap in capability will be a system that will explore all executions for many different platforms simultaneously. We propose to develop such a system by combining a number of state-of-the-art techniques. Novel continuous integration technology will allow distribution of concurrent analyses across a farm of heterogeneous machines. Advances in our static-analysis engine will exploit machine-code analysis to ferret out subtle platform-specific differences in behavior. The results of these analyses will be collated, filtered, ranked, and presented to the analyst in a single combined report.

H-SB09.2-004
Software Testing and Vulnerability Analysis

D11PC20009 0922001
(FY09.2 Phase II)
Multi-Platform Program Analysis

GrammaTech, Inc.
317 N. Aurora Street
Ithaca, NY 14850-4201

06/01/2011
to
11/30/2013
$750,000.00

The current generation of advanced static-analysis tools find vulnerabilities by exploring all possible executions of a program as configured for a single platform. Phase I research confirmed that a significant number of platform-specific defects may be missed if analysis is restricted to a single platform. The next quantum leap in capability will be a system that will explore all executions for many different platforms simultaneously. We propose to develop such a system by combining a number of state-of-the-art techniques. Novel continuous integration technology will allow distribution of concurrent analyses across a farm of heterogeneous machines. Advances in our static-analysis engine will exploit machine-code analysis to ferret out subtle platform-specific differences in behavior. Intelligent test-case-generation technology will find test inputs that trigger platform-specific defects. The results of these analyses will be collated, filtered, ranked, and presented to the analyst as a single combined report. The resulting analysis system will appeal to software producers in many market segments, including communications, medical electronics, avionics, and industrial control.

H-SB09.2-004
Software Testing and Vulnerability Analysis

D11PC20010 0922004
(FY09.2 Phase II)
Software Assurance Analysis and Visual Analytics

Applied Visions, Inc.
6 Bayview Avenue
Northport, NY 11768-1502

01/10/2011
to
12/30/2014
$836,996.16

To increase confidence that software is secure, researchers and vendors have developed different kinds of automated software security analysis tools. These tools analyze software for weaknesses and vulnerabilities, but produce massive data with many false positives. Further, the individual tools catch different vulnerabilities, often with little overlap. The NSA tested five static code analysis tools and found that 84pct of the vulnerabilities were identified by only one tool. These results point to the need to combine and correlate the results of multiple tools to ensure comprehensive vulnerability analysis. However, the disparate interfaces and non-normalized results of each tool make correlation of their results taxing to the software developer. The Secure Decisions Division of Applied Visions Inc. is developing a Software Assurance Analysis and Visual Analytics platform that integrates the results of disparate software analysis tools into a visual environment for triage and exploration of code vulnerabilities. Software developers can explore voluminous vulnerability results to uncover hidden trends, triage the most important code weaknesses, and show who is responsible for introducing software vulnerabilities. Visual analytics focus the user`s attention on the most pressing vulnerabilities. By correlating and normalizing data from multiple tools, the overall vulnerability detection coverage of software is increased.

H-SB09.2-004
Software Testing and Vulnerability Analysis

D14PC00222 FY09.2-H-SB09.2-004-0003-CRPP
(FY09.2 CRPP)
Software Assurance Analysis and Visual Analytics

Applied Visions, Inc.
6 Bayview Avenue
Northport, NY 11768-1502

09/15/2014
to
09/30/2015
$199,999.39

Under our Phase II SBIR we developed a compelling new technology for software assurance called Code Dx. We used initial feedback from government agencies and industry experts, collected during beta testing and Version 1.0 evaluations, to produce Version 1.1 which is technically mature and ready for trial evaluations and sale. However, the path to commercial success requires more than technical capabilities. It requires execution of a commercialization plan; staffing and infrastructure to sustain marketing, sales and support; and the financing to support both. In this proposal we outline eight strategic commercialization objectives and a commercialization roadmap that identifies specific tactics and activities that must be completed to achieve those objectives. We further identify a subset of those activities that we seek to fund through the DHS Commercialization Readiness Pilot Program (CRPP), with the remaining activities to be funded with internal and potential venture investment. The proposed Statement of Work (SOW) represents the specific commercialization activities that the CRPP funds would support. The SOW includes activities related to creating awareness of and demand for Code Dx: developing a set of reference users; promoting Code Dx within the Application Security Testing (AST) community and raising awareness among those not engaged in AST due to cost or difficulty in use; outreach to security training organizations; filling in small competitive gaps such as IDE plug-ins; and establishing partnerships to accelerate marketing and sales.