James A. Kupsch scite author profile

Visualizing a program's structure and security characteristics is the intrinsic part of in-depth software security assessment. Such an assessment is typically an analyst-driven task. The visualization for security analysis is usually laborintensive, since analysts need to read documents and source code, synthesize trace data from multiple sources (e.g., system utilities like lsof or strace). To help address this problem, we propose SecSTAR, a tool that dynamically collects the key information from a system and automatically produces the necessary diagrams to support the first steps of widely-used security analysis methodologies, such as Microsoft Threat Modeling and UW/UAB First Principles Vulnerability Assessment (FPVA). SecSTAR uses an efficient dynamic binary instrumentation technique, self-propelled instrumentation, to collect trace data from production systems during runtime then automatically produces diagrams. Furthermore, SecSTAR allows analysts to interactively view and explore diagrams in a web browser. For example, analysts can navigate the diagrams through time and at different levels of detail. We demonstrated the usefulness of using SecSTAR to produce FPVA-style diagrams for a widely used and complex distributed middleware system, the Condor high-throughput scheduling system. Compared with the original manual approach in FPVA, SecSTAR shortened the initial diagram construction time from months to hours and constructed a more accurate diagram visualizing the complete runtime structure of Condor.

show abstract

How to Open a File and Not Get Hacked

Kupsch

Miller

2008

View full text Add to dashboard Cite

Bad and good news about using software assurance tools

Kupsch

Heymann

Miller

et al. 2016

Softw. Pract. Exper.

View full text Add to dashboard Cite

SUMMARYSoftware assurance tools -tools that scan the source or binary code of a program to find weaknesses -are the first line of defense in assessing the security of a software project. Even though there are a plethora of such tools available, with multiple tools for almost every programming language, adoption of these tools is spotty at best. And even though different tools have distinct abilities to find different kinds of weaknesses, the use of multiple tools is even less common. And when the tools are used (or attempted to be used), they are often used in ways that reduce their effectiveness. We present a step-by-step discussion of how to use a software assurance tool, describing the challenges that can occur in this process. We also present quantitative evidence about the effects that can occur when assurance tools are applied in a simplistic or naive way. We base this presentation on our direct experiences with using a wide variety of assurance tools. We then present the US Department of Homeland Security funded Software Assurance Marketplace (SWAMP), an open facility where users can upload their software to have it automatically and continually assessed by a variety of tools. The goal of the SWAMP is to simplify the task of the programmer in using assurance tools, thereby removing many of the obstacles to their adoption.

show abstract

From continuous integration to continuous assurance

Kupsch

Miller

Basupalli

et al. 2017

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

James A. Kupsch

First principles vulnerability assessment

Automated tracing and visualization of software security structure and properties

How to Open a File and Not Get Hacked

Bad and good news about using software assurance tools

From continuous integration to continuous assurance

Contact Info

Product

Resources

About