Presentation is loading. Please wait.

Presentation is loading. Please wait.

Juliet Test Suite Overview

Published byAshleigh Milward Modified over 10 years ago

Similar presentations

Presentation on theme: "Juliet Test Suite Overview"— Presentation transcript:

1 Juliet Test Suite Overview
Tim Boland NIST March 29, 2012

2 Basic Facts Juliet Test Suite contains test cases in the C/C++ and Java programming languages Each test case is small Most test cases in the test suite are synthetic (created for use) Each test case focuses on one type of flaw, but other incidental flaws may be present

3 Basic Facts (continued)
In addition to the method(s)/function(s) containing the flaw of focus, each test case provides one or more non-flawed method(s)/function(s) that perform a similar task Test case is composed of one or more source code files, as well as auxiliary files providing test case support Test cases were developed/tested on the Windows platform but most work on other platforms

4 Other Aspects The test cases are based on the Common Weakness Enumeration (CWE) The C/C++ test cases contain examples for 116 different CWEs The Java test cases contain examples for 106 different CWEs Test cases are compilable/analyzable as a whole, by individual CWEs, or by individual test case

5 Other Aspects (continued)
Test case naming format (from left to right): CWE ID, functional variant name, data/control flow indicator, programming language indicator If the test case is a Java servlet, the string “servlet” appears in the functional variant name Weakness classes (13 total) covered include: buffer handling, code quality, injection, information leaks, and pointer/reference handling “Complexities” covered include: loop structure, local control flow, data passing involving functions/methods/classes, data type, container

6 Test Case Example 1 (summarized)
File name: CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_01.c Initial stuff.. bad() // bad code – memory overwrite of pointer good() //good code – no memory overwrite of pointer main() //used for building testcase on its own or for building binary

7 Test Case Example 2 (summarized)
File name: CWE78_OS_Command_Injection__char_Environment_execl_01.c initial stuff.. bad() //bad code – non-empty environment variable used as input without validation good() //good code – benign input used main() //used for building testcase on its own or for building binary

8 Test Case Example 3 (summarized)
File name: CWE114_Process_Control__basic_01.java initial stuff.. public class.. bad() //bad code – attempt to load library without full path good() //good code – specify a full path when loading library main() //used for building testcase on its own or for building binary

9 Final Items Possible use case: identify true positive, false positive, false negative Origin for Name “Juliet” – since these test suites are the tenth major group of tests added to the NIST SAMATE Reference Dataset (SRD), and “J” is the tenth letter of the alphabet, “Juliet” is the International Phonetic Alphabet word for “J” Complete downloads of the full Juliet Test Suites are available from the top of page:

Download ppt "Juliet Test Suite Overview"

Similar presentations

CSE 105 Structured Programming Language (C)

CSE 105 Structured Programming Language (C)
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
 2005 Pearson Education, Inc. All rights reserved. 1 1 1 Introduction.

 2005 Pearson Education, Inc. All rights reserved Introduction.
Data Types in Java Data is the information that a program has to work with. Data is of different types. The type of a piece of data tells Java what can.

Data Types in Java Data is the information that a program has to work with. Data is of different types. The type of a piece of data tells Java what can.
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 9_3 Following Instructions: Principles of Computer Operation.

Chapter 9_3 Following Instructions: Principles of Computer Operation.
Topic R3 – Review for the Final Exam. CISC 105 – Review for the Final Exam Exam Date & Time and Exam Format The final exam is 120-minutes, closed- book,

Topic R3 – Review for the Final Exam. CISC 105 – Review for the Final Exam Exam Date & Time and Exam Format The final exam is 120-minutes, closed- book,
A452 – Programming project – Mark Scheme

A452 – Programming project – Mark Scheme
Evaluating Static Analysis Tools Dr. Paul E. Black

Evaluating Static Analysis Tools Dr. Paul E. Black
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.

TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Operator Precedence First the contents of all parentheses are evaluated beginning with the innermost set of parenthesis. Second all multiplications, divisions,

Operator Precedence First the contents of all parentheses are evaluated beginning with the innermost set of parenthesis. Second all multiplications, divisions,
Security of Open Source Web Applications Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements:

Security of Open Source Web Applications Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements:
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.

Introduction to Java CSIS 3701: Advanced Object Oriented Programming.

Similar presentations

Ads by Google