This proposal addresses the key issue in the normalization of software assurance information, how to integrate the vulnerability findings reported by multiple vulnerability detection tools. The normalization will provide normalized, consistent reporting on type of identified weakness (alignment with CWE) as well as normalized, consistent reporting on location and trace of identified weakness within code (source or binary). The project will build upon and extend the results of several recent government-funded programs in the area of software assurance. The phase II R&D effort will utilize phase I deliverables and accomplishments to complete the project and deliver (1) an open-standard-based Run Time Tool Output Integration Framework (TOIF) and (2) the integration of several existing open source vulnerability detection tools into this framework. This will mitigate one of the major practical gaps with today`s software assurance tools, the non-overlapping findings of the current tools and will enable cross-examining the vulnerabilities reported by different tools, something that is currently very dependant on human verification and therefore very laborious. This would enable using multiple vulnerability detection tools in a coordinated manner. The anticipated results will be made available to the community (as open source) of tools vendors, leading to further improvements in vulnerability detection tools through normalization of their outputs, better alignment with existing standards, and better exchanges of software assurance information.
