Table of Contents Cert Research Vision Executive Summary 2009 Research Report Abstracts Applying Function Extraction (fx) Techniques to Reverse Engineer Virtual Machines Function Extraction for Malicious Code Analysis Metrics for Evaluating Network Sensor Placement Rayon: a Unified Framework for Dat

2009 The primary goals of the CERT ® Program are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of attacks, accidents, or failures. CERT is part of the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI advances software engineering and related disciplines to ensure systems with predictable and improved quality, cost, and schedule. This report describes how CERT research advanced the field of information and systems security during the 2009 fiscal year. Today we live in a world in which the threat of cyber attacks is ever-growing, and where threats from unknown sources are dynamic and constantly changing. It is seldom that a week goes by when articles on cyber security are not prominent in technical publications and popular media. It is the CERT Program's mission to identify, develop, and mature, and broadly transition new technologies, system development practices, and system management practices that enable informed trust and confidence in using information and communication technology. agencies, state and local governments, and other operators of infrastructures critical to the national defense, cyber security, and the national economy; the providers of information communications technologies (ICT) and services that support these system and network operators; the software development community; and computer security incident response teams with national responsibilities. The overall goal of our program is improved practices and technologies that are widely understood and routinely used to protect, detect, and respond to attacks, accidents, and failures on networked systems. Better informed, trained, and equipped people will produce better systems that will be better managed to reduce operational risk and the impact of cyber attacks. Our research strategy has been to build and maintain a technical center of excellence that uses its operational experience and expertise to look across the entire software life cycle (from requirements through development, deployment, operations, and maintenance) to • identify new technologies, development practices, and management practices that would significantly improve networked systems security and enterprise resiliency • mature these technologies and practices • apply these technologies to meet the needs of the program's stakeholders • transition these technologies into widespread use The transition activity pays special attention to education and training and recognizes the critical need to develop …

[1]  Timothy Wilson,et al.  As-If Infinitely Ranged Integer Model , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[2]  Nancy R. Mead,et al.  Privacy Risk Assessment in Privacy Requirements Engineering , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[3]  Jeffrey A. Ingalsbe,et al.  A Study of the Impact on Students Understanding Cross Cultural Differences in Software Engineering Work , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[4]  Varokas Panusuwan,et al.  Privacy Risk Assessment Case Studies in Support of SQUARE , 2009 .

[5]  Balachander Krishnamurthy,et al.  Rule-Based Anomaly Detection on IP Flows , 2009, IEEE INFOCOM 2009.

[6]  Andrew P. Moore,et al.  The Landscape of Software Assurance—Participating Organizations and Technologies , 2009 .

[7]  Andrew P. Moore,et al.  Value mapping and modeling SoS assurance technologies and supply chain , 2009, 2009 3rd Annual IEEE Systems Conference.

[8]  Carol Woody,et al.  Multi-view Decision Making (MVDM) Workshop , 2009 .

[9]  Jeffrey A. Ingalsbe,et al.  Ensuring Cost Efficient and Secure Software through Student Case Studies in Risk and Requirements Prioritization , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[10]  Julia H. Allen,et al.  High-Fidelity e-Learning: SEI's Virtual Training Environment (VTE) , 2009 .

[11]  Seiya Miyazaki,et al.  Integrating Privacy Requirements into Security Requirements Engineering , 2009, SEKE.

[12]  S. Omohundro,et al.  Model Merging for Hidden Markov Model Induction , 2009 .

[13]  Eric Vyncke,et al.  IPv6 Security , 2008 .

[14]  Seiya Miyazaki,et al.  Computer-Aided Privacy Requirements Elicitation Technique , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[15]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .

[16]  Kevin M. Stine,et al.  Performance Measurement Guide for Information Security , 2008 .

[17]  Alan R. Hevner,et al.  Introducing function extraction into software testing , 2008, DATB.

[18]  Nancy R. Mead,et al.  Software Security Engineering , 2008 .

[19]  John B. Goodenough,et al.  Survivability Assurance for System of Systems , 2008 .

[20]  Richard C. Linger,et al.  Function Extraction: Automated Behavior Computation for Aer ospace Software Verification and Certification , 2007 .

[21]  Alan R. Hevner,et al.  Next-Generation Software Engineering: Function Extraction for Computation of Software Behavior , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[22]  Richard C. Linger,et al.  Technology Foundations for Computational Evaluation of Software Security Attributes , 2006 .

[23]  Alan R. Hevner,et al.  The CERT Function Extraction Experiment: Quantifying FX Impact on Software Comprehension and Verification , 2005 .

[24]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[25]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[26]  Thomas Plum,et al.  Eliminating Buffer Overflows , Using the Compiler or a Standalone Tool , 2005 .

[27]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[28]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[29]  Richard C. Linger,et al.  Improving network system security with function extraction technology for automated calculation of program behavior , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[30]  Grace A. Lewis,et al.  Modernizing Legacy Systems - Software Technologies, Engineering Processes, and Business Practices , 2003, SEI series in software engineering.

[31]  Dean Leffingwell,et al.  Managing Software Requirements: A Use Case Approach , 2003 .

[32]  Steve McConnell From the Editor - An Ounce of Prevention , 2001, IEEE Softw..

[33]  Marc Hansen,et al.  Report of the Defense Science Board Task Force on Defense Software , 2000 .

[34]  Stacy J. Prowell,et al.  Cleanroom software engineering: technology and process , 1999 .

[35]  Xin Wang,et al.  High-level information-an approach for integrating front-end and back-end compilers , 1998, Proceedings. 1998 International Conference on Parallel Processing (Cat. No.98EX205).

[36]  C Ellis-Stoll Recommended practices. , 1995, AORN journal.

[37]  Andreas Stolcke,et al.  Best-first Model Merging for Hidden Markov Model Induction , 1994, ArXiv.

[38]  Raymond M. Smullyan Recursion theory for metamathematics , 1993, Oxford logic guides.

[39]  Andreas Stolcke,et al.  Hidden Markov Model} Induction by Bayesian Model Merging , 1992, NIPS.

[40]  Barry W. Boehm,et al.  Understanding and Controlling Software Costs , 1988, IEEE Trans. Software Eng..

[41]  John R. Rodman,et al.  Reports , 1919, Restoration & Management Notes.

[42]  Harlan D. Mills,et al.  Cleanroom Software Engineering , 1987, IEEE Software.

[43]  Lloyd Allison,et al.  A Practical Introduction to Denotational Semantics , 1987 .

[44]  Capers Jones,et al.  Tutorial Programming Productivity: Issues for the Eighties , 1986 .