SBIR-STTR Award

Capabilities of large-scale software intensive systems such as those of interest to the Software Producibility Initiative are built incrementally within the overarching infrastructure. This requires frequent updates/extensions to integrate processes and to ensure expedient, fault tolerant, secure and robust operations. The potentially widespread impact made by incorporation of new capabilities coupled with the criticality of system operations may dictate incorporation of untrusted components without strict a prior verification. However, technologies to monitor, control, and verify discrete run-time software components are the subject of on-going research and development. They provide software monitoring at different granularities (i.e. network, operating system and application level) and sometimes for a distinct type of domain. While many of these technologies have gained a level of maturity and acceptance for host-level systems, there is currently limited research underway to substantiate their applicability to large scale software intensive systems on which there are unique quality constraints, and within which there is vast heterogeneity components, and interaction processes. To this end, Sentar and the University of Tulsa propose the Information Assurance Run-time Auditing (IARA) concept as a framework to promote the specification of software system monitoring, audit, analysis and threat mitigation capabilities in large scale software intensive systems.

Keywords:
Run-Time Security Monitoring, Computer-Based Untrusted Behavior, Verification, Multi-Agent System, Interoperability

The goal of the Information Assurance Run-time Auditing (IARA) Phase I project was to provide a framework that promotes the specification of software system monitoring, audit, analysis, and threat mitigation capabilities in large scale software intensive systems (LSSIS). IARA was designed to promote software assurance by incorporating novel tools that help certify the operations of untrusted software within a trusted environment. For the Phase II effort, Sentar has re-framed IARA as veriScan to better address the software assurance requirements whos critical operations require off-line analysis. veriScan is envisioned as a software assurance platform for statically and dynamically analyzing and assessing both source and binary software files for the presence of program vulnerabilities, coding weaknesses, and malicious intent. veriScan automates the execution of a critical mass of analysis programs for verifying large scale, mixed programming language systems that are implicitly trusted. veriScan performs risk assessments; reports on those risks in the face of reuse; and provides decision support to enable the mitigation of any risks identified. This Phase II project is particularly focused on developing advanced scanning capabilities for systems software written in FORTRAN and ADA. In addition, this capability will support dynamic vulnerability identification and verification. Approved for Public Release | 16-MDA-8863 (22 September 16)