STONESOUP
Securely Taking On New Executable Stuff Of Uncertain Provenance

Can the evaluation and certification of the security properties of mission-critical software systems be automated so much that time and human effort are reduced tenfold? This is the subject of the STONESOUP study.

We are studying how to gain assurance by examining software itself and accompanying artifacts of its creation. Software evaluation processes often have not exploited the many advances in software production, analysis, testing, monitoring, and confinement.

A new certification pipeline?

We are investigating combinations of technologies that can produce specific assurances about software—particularly, security assurances. These technologies include:

  • Languages and specifications. Lightweight specifications can help evaluate software properties.
  • Analysis and transformation. Analyses can identify vulnerabilities; transformations can eliminate them or permit monitoring.
  • Testing and model checking. Automated testing and model checking can be used to identify vulnerabilities.
  • Monitoring and confinement. Confinement (by the OS, VMM, ...) can prevent misbehavior and allow monitoring.

We will also study synergies between these different technologies, bringing together interested researchers from different research areas to identify how combined approaches can improve assurance or reduce cost.

Workshops

  • May 9, 2008. 1st STONESOUP workshop on software certification. Sheration Four Points at BWI Airport, MD.
    meeting agenda  | meeting location and logistics ]
  • June 20, 2008. 2nd STONESOUP workshop on software certification and confinement. Seattle, WA.