May 2, 2014
The Software Assurance Marketplace (SWAMP) is a new DHS-funded center that is targeted at improving the quality of open source software and the quality of open source software assessment tools. As a primary task, the SWAMP automates the ability to run software assessment tools on software packages. Users can bring new software packages to be assessed or new assessment tools to be run against software packages, and the SWAMP provides a high degree of automation for these tasks.
The SWAMP provides “continuous assurance”, providing the ability to run assessment of a software package by a suite of tools on each software commit or tool update. The SWAMP also provides a secure facility with the ability to share or keep private any given tool, software package or assessment result, as the discretion of the user. In addition, each assessment run is executes in its own virtual machine, provide strong degree of isolation.
The SWAMP is open for use, providing a suite of assessment tools for C, C++, and Java programs, and a collection of 300+ software packages. New tools and packages are being added on a regular basis. The initial tools perform static analysis, operating on source code or (for Java) byte code. Upcoming developments will include support for binary analysis tools, dynamic tools, and tools targeted at both web and mobile applications.
After describing the SWAMP, I will talk about various open source products that we have been developing to help automate the process of applying tools to software packages. The application of software assurance tools to a software package often requires manual modifications to the build process and a different set of modifications for each tool. I will present the techniques that we developed for efficient automated application of arbitrary software assurance tools to arbitrary software packages.
Barton Miller is Professor of Computer Sciences at the University of Wisconsin, Madison. He directs the Paradyn Tools project, which is investigating program scalability and binary program analysis and instrumentation technologies for use in HPC, systems design, and cyber-security. Miller is Chief Scientist of the DHS-funded Software Assurance Marketplace (SWAMP) research center, a joint effort between the Morgridge Institute of Research, University of Wisconsin Computer Sciences Department, Indiana University, and the University of Illinois. He also co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. His research interests include tools for high-performance computing systems, binary code analysis and instrumentation, computer security, and scalable distributed systems. In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation".