Software Assurance            Software Hardening            Autonomic Computing

DARPA Selects GrammaTech for Software-Assurance-Tool Benchmarking

ITHACA, N.Y. -- GrammaTech, a leading research center for and provider of cyber-security solutions, has been notified of its selection by DARPA to develop tooling for measuring and assessing the effectiveness of Software Assurance tools. The project, Grafting Vulnerabilities for Configurable Cyber Defense, will address the need in the current security-tool landscape – the inability for users to know the effectiveness of vulnerability-detection-and-mitigation tools.

The rise and continued acceleration of cyber-attacks, spanning from consumer devices to city infrastructure to government databases, has spurred efforts to eliminate security vulnerabilities by performing code audits across specific commercial products, host programs, and domains. Although detected and eliminated bugs are often tallied, undetected bugs are typically unknown, and as a result the overall ROI of the audit endeavor is unmeasured. GrammaTech's research will develop mechanisms leading to the creation of realistic evaluation benchmarks that provide quantitative insights on the strengths and weaknesses of the security tools being used within an operational environment.

Free-standing benchmarks suites such as those produced by NSA's Center for Assured Software (Juliet) and Toyota Laboratories have contributed significantly to the ability to measure a tool's false-negative rates. "We are enormously proud of the predominant ranking of CodeSonar®, our flagship Software Assurance product," stated Tim Teitelbaum, GrammaTech's CEO. "But we recognize that prospective customers are left unsure about a tool's effectiveness on their own idiosyncratic codes."

"We will develop a highly-configurable tool that will provide users with the openness and flexibility needed to adapt benchmarking to their specific operational environments and domains," noted Eric Schulte, Senior Scientist on the project. "By providing customers with the ability to inject known vulnerabilities into specific code bases, we will provide customers with realistic tool-effectiveness benchmarks customized to their applications, a capability that is not available today."

GrammaTech is committed to addressing the increasingly complex cyber-attack and defensive-safeguards arms race through ongoing research and advancements in software analysis, binary transformations, and software hardening.

About GrammaTech, Inc.
GrammaTech tools are used by software developers worldwide, spanning a myriad of industries including avionics, automotive, government, medical, and other applications where reliability, safety, and security are paramount. Born from research carried out atCornell University, GrammaTech continues to advance the science of software assurance, software hardening, and autonomic computing, providing techniques and technology for software teams to produce safer and more resilient software. More information about GrammaTech can be found at