• Home
• About Us
• Services
• Federal
• News/Events
• Resources
• Podcast
• Careers

Malicious Software

Computer viruses, worms and Trojan horses continue to pose a major threat to the security of today's information systems. Existing antivirus software is a valuable tool in the battle against malicious software, however it is not a total solution to the problem. Cigital Labs has explored various cutting-edge techniques for detecting, preventing and analyzing malicious programs.

Research Projects

• Adaptive Vulnerability Analysis for Java as a Defensive Information Warfare Technology
• Malicious Software Detection in Program Executables
• Sandboxing Mobile Code Execution Environments
• Computing Platform Coverage via Light Host-Based Intrusion Detection
• Automated Malicious Code Detection
• Software Metrics for the Analysis of Suspect Executables
• Malicious Software Detection for Resource Constrained Devices

Publications

Software Security Top 10 Surprises (HTML)
G. McGraw
informIT (December 15, 2008)

Web Applications and Software Security (HTML)
G. McGraw
informIT (November 14, 2008)

A Software Security Framework: Working Towards a Realistic Maturity Model (HTML)
G. McGraw, B. Chess
informIT (October 15, 2008)

Getting Past the Bug Parade (HTML)
G. McGraw
informIT (September 17, 2008)

Software Security Demand Rising (HTML)
G. McGraw
informIT (August 11, 2008)

Application Assessment as a Factory (HTML)
G. McGraw
informIT (July 17, 2008)

Securing Web 3.0 (HTML)
G. McGraw
informIT (May 15, 2008)

Paying for Secure Software (HTML)
G. McGraw
informIT (April 7, 2008)

The Truth Behind Code Analysis (HTML)
G. McGraw
Dark Reading (February 13, 2008)

Software Security Strategies (HTML)
G. McGraw
Dark Reading (January 9, 2008)

Beyond the PCI Band-Aid (HTML)
G. McGraw
Dark Reading (December 10, 2007)

Online Games & the Law (HTML)
G. McGraw
Dark Reading (October 11, 2007)

Mobile Insecurity (HTML)
G. McGraw
Dark Reading (September 14, 2007)

The Ultimate Insider (HTML)
G. McGraw
Dark Reading (August 14, 2007)

Consolidate This (HTML)
G. McGraw
Dark Reading (July 12, 2007)

JSON, Ajax & Web 2.0 (HTML)
G. McGraw
Dark Reading (June 7, 2007)

Certifiable (HTML)
G. McGraw
Dark Reading (May 9, 2007)

Want Turns to Need (HTML)
G. McGraw
Dark Reading (April 20, 2007)

Compliance As Kick-Starter (HTML)
G. McGraw
Dark Reading (March 12, 2007)

Security's Symbiosis (HTML)
G. McGraw
Dark Reading (February 27, 2007)

Hurray for Hollywood!? (HTML)
G. McGraw
Dark Reading (January 12, 2007)

Foxy Vista Henhouse (HTML)
G. McGraw
Dark Reading (December 11, 2006)

Boarding-Pass Brouhaha (HTML)
G. McGraw
Dark Reading (November 2, 2006)

Diebold Disses Democracy (HTML)
G. McGraw
Dark Reading (October 9, 2006)

Keep Your Laws Off My Security (HTML)
G. McGraw
Dark Reading (September 7, 2006)

Google is Evil (HTML)
G. McGraw
Dark Reading (August 4, 2006)

If You Build It, They'll Crash It (HTML)
G. McGraw
Dark Reading (July 7, 2006)

New Terrorist Profile: Phone Users (HTML)
G. McGraw
Dark Reading (June 13, 2006)

As Security Problems Grow, Time for Software Assessment Is Now (HTML)
G. McGraw
SD Times (June 1, 2006)

Beyond the Badness-ometer (HTML)
G. McGraw
Dr. Dobbs (June 30, 2006)

Microsoft's Missed Opportunity (HTML)
G. McGraw
Dark Reading (May 3, 2006)

Is Application Security Training Worth the Money? (PDF)
G. McGraw
IT Architect Magazine, February 1, 2006.

Is Sony BMG Run By Malicious Hackers? (PDF)
G. McGraw
IT Architect Magazine, January 1, 2006.

When Does Security Cross the Line? (PDF)
G. McGraw
IT Architect Magazine, December 1, 2005.

Is Security Really About Getting Nothing Done? (PDF)
G. McGraw
IT Architect Magazine, November 1, 2005.

How Bad Is Intrusion Detection? (PDF)
G. McGraw
IT Architect Magazine, October 1, 2005.

Is Cisco Naked? (PDF)
G. McGraw
IT Architect Magazine, September 1, 2005.

Is VoIP Secure Enough For Prime Time? (PDF)
G. McGraw
IT Architect Magazine, August 1, 2005.

Is Penetration Testing a Good Idea? (PDF)
G. McGraw
Network Magazine, July 1, 2005.

Are Cell Phones the Next Target? (PDF)
G. McGraw
Network Magazine, June 1, 2005.

How Does Security Fit With Engineering? (PDF)
G. McGraw
Network Magazine, May 1, 2005.

Is Your Mac Really More Secure? (PDF)
G. McGraw
Network Magazine, April 1, 2005.

Where Does Trust Come From? (PDF)
G. McGraw
Network Magazine, March 1, 2005.

Are We In a Computer Security Renaissance? (PDF)
G. McGraw
Network Magazine, February 1, 2005.

Innovative Rootkits: The Ultimate Weapon? (PDF)
G. McGraw
Network Magazine, January 1, 2005.

How Do Real Bad Guys Break Software? (PDF)
G. McGraw
Network Magazine, December 1, 2004.

Application Security Testing Tools: Worth the Money? (PDF)
G. McGraw
Network Magazine, November 1, 2004.

Who Should Do Security? (PDF)
G. McGraw
Network Magazine, October 1, 2004.

A Subliminal Channel in Secret Block Ciphers
A. Young, M. Yung
Selected Areas in Cryptography, August 9-10, 2004.

Mitigating Insider Threats to RSA Key Generation (PS / Word)
A. Young
RSA Laboratories' Cryptobytes (Spring 2004; Vol. 6, No. 1)

A Key Recovery System as Secure as Factoring
A. Young, M. Yung
CT-RSA Conference, 2004.

Relationships Between Diffie-Hellman and Index Oracles
A. Young, M. Yung
Fourth Conference on Security in Communication Networks '04, 2004.

Backdoor Attacks on Black-Box Ciphers Exploiting Low-Entropy Plaintexts
A. Young, M. Yung
Eighth Australasian Conference on Information Security and Privacy (ACISP), Lecture Notes in Computer Science (LNCS), July 9-11, Springer-Verlag, 2003.

Non-Zero Sum Games and Survivable Malware
A. Young
Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003.

A Weakness in Smart-Card PKI Certification
A. Young
Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003.

A Toolkit for Detecting and Analyzing Malicious Software (PDF)
M. Weber, M. Schmid, D. Geyer, M. Schatz
Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, NV, December, 2002.

Protecting Data from Malicious Software (PDF)
M. Schmid, F. Hill, A. Ghosh
Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, NV, December, 2002.

Controlling the Execution of Unauthorized Software (PS / PDF / Word)
M. Schmid, J.T. Bloch, F. Hill, A. Ghosh
To appear in the Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, June 2001, Anaheim, CA.

Testing Commercial-off-the-Shelf Software Components (Word)
J. Haddox, G. Kapfhammer, C. Michael, M. Schatz
Proceedings of the 18th International Conference and Exposition on Testing.

Bandwidth-Optimal Kleptographic Attacks
A. Young, M. Yung
Cryptographic Hardware and Embedded Systems (CHES), 2001.

A PVSS as Hard as Discrete Log and Shareholder Separability
A. Young, M. Yung
PKC 2001 (Public Key Crypto).

Secure mobile gambling
M. Jakobsson, D. Pointcheval, A. Young
CT-RSA Conference 2001.

Two State-Based Approaches to Program-based Anomaly Detection (PS / PDF)
C. Michael, A. Ghosh
Proceedings of ACSAC 2000, December 2000.

A Real-Time Intrusion Detection System Based on Learning Program Behavior (PS / PDF)
A.K. Ghosh, C.C. Michael, and M.A. Schatz
Recent Advances in Intrusion Detection; Third International Workshop, RAID 2000.

Execution Control Lists: An Approach to Defending Against New and Unknown Malicious Software (PS / PDF)
A.K. Ghosh, M. Schmid
In Proceedings of the Information Survivability Workshop 2000, October 24-26, 2000, Boston, MA.

An Approach to Identifying and Understanding Problematic COTS Components (PS / PDF)
G. Kapfhammer, C. Michael, J. Haddox, R. Coyler
Presented at ISACC 2000, The Software Risk Management Conference.

Preliminary Cryptanalysis of Reduced-Round Serpent (PS / PDF)
T. Kohno, J. Kelsey, and B. Schneier
Third AES Candidate Conference, April 13-14, 2000.

Limited Software Warranties (PS / PDF)
J. Voas
To be presented at ECBS 2000, April 2000.

Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent (PS / PDF)
J. Kelsey, T. Kohno, B. Schneier
Seventh Fast Software Encryption Workshop, Springer-Verlag, April 10-12, 2000.

Deriving Accurate Operational Profiles for Mass-Marketed Software (PS / PDF)
J. Voas
Submitted to 4th International Conference on Empirical Assessment & Evaluation in Software (EASE 2000).

Techniques for Evaluating the Robustness of Windows NT Software (PDF / Word)
M. Schmid, A.K. Ghosh, F. Hill
To appear in the 2000 DARPA Information Survivability Conference & Exposition (DISCEX'00), January 2000, Hilton Head, SC.

Software Fault Injection (PS / PDF)
J. Voas
IEEE Spectrum, to appear in 2000.

"User Participation"-Based Software Certification (PS / PDF / Word)
J. Voas
To appear in IEEE Computer, early 2000.

Third-Party Usage Profiling: A Model for Optimizing the Mass-Marketed Software Industry (PS / PDF)
J. Voas
Submitted to IEEE Software.

Hash to the Rescue: Space Minimization for PKI Directories
A. Young, M. Yung
ICISC 2000 (International Conf. on Info. Sec. and Crypto).

Dependability Certification of Software Components (PS / PDF)
J. Voas and J. Payne
Journal of Systems and Software, 2000.

RSA Based Auto-Recoverable Cryptosystems
A. Young, M. Yung
Proceedings of Public Key Cryptography (PKC), 2000.

Towards Signature-Only Signature Schemes
A. Young, M. Yung
Asiacrypt 2000.

An Approach to Testing COTS Software for Robustness to Operating System Exceptions and Errors (PS / PDF)
A.K. Ghosh, M. Schmid
To appear in the 1999 International Symposium on Software Reliability Engineering (ISSRE99), November 1-4, 1999, Boca Raton, FL.

Predicting When to Reboot "Continuously Operating" Embedded Software (HTML)
J. Voas, F. Charron
In proceedings of CONQUEST'99, September 1999, Nuremburg, Germany.

Software Malleability: We're Losing It! (PDF)
J. Voas
In the proceedings of the 2nd Annual Systems Engineering and Supportability Conference, September 1999, San Diego, CA.

How We Learned to Cheat in Online Poker: A Study in Software Security (PDF / HTML)
B. Arkin, F. Hill, S. Marks, M. Schmid, T.J. Walls, G. McGraw
Developer.Com, 09/28/99.

Inoculating Software for Survivability (PS / PDF)
A. Ghosh, J. Voas
Communications of the ACM, July 1999.

A Recipe for Certifying High Assurance Software (PS / PDF)
J. Voas
IEEE Software, July 1999.

This Decade's Eight Greatest Myths About Software Quality (PS / PDF)
J. Voas
IEEE Software, July 1999.

User Participation-Based Software Certification (PS / PDF)
J. Voas
In proceedings of Eurovav'99, Oslo, Norway, June 1999.

Data Generation Techniques for Automated Software Robustness Testing (PDF / Word)
M. Schmid, F. Hill
Sixteenth International Conference on Testing Computer Software (ICTCS'99)

Wrapping Windows NT Software for Robustness (PS / PDF)
A. Ghosh, M. Schmid, F. Hill
To appear in Proceedings of the 29th International Fault Tolerant Computer Symposium (FTCS-29), June 15-18, 1999, Madison, WI.

A Government-Controlled United States Software/IT Industry? (PS / PDF)
J. Voas
IEEE Software, May 1999.

Why COTS Software Increases Security Risks (PS / PDF)
G. McGraw, J. Viega
ICSE Workshop on Testing Distributed Component-Based Systems, May 1999.

Software Assurance for Security (PDF / Word)
G. McGraw
IEEE Computer 32(4), pages 103-105. April 1999.

Learning Program Behavior Profiles for Intrusion Detection (PS / PDF)
A.K. Ghosh, A. Schwartzbard, M. Schatz
To appear in Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 9-12, 1999, Santa Clara, CA.

Disposable Information Systems: The Future of Software Maintenance? (PS / PDF)
J. Voas
Journal of Software Maintenance, March 1999.

Can Critical Information Infrastructure Protection be Achieved with Untested Software? (PS / PDF)
J. Voas
IEEE Software, March 1999.

Software Hazard Mining (PS / PDF)
J. Voas
For the IEEE Workshop on Application Specific Software Engineering and Technology (ASSET'99), March, 1999. Richardson, TX.

Using Program Behavior Profiles for Intrusion Detection (PS / PDF)
A.K. Ghosh, A. Schwartzbard, M. Schatz
SANS Conference and Workshop on Intrusion Detection and Response, Technical Conference, Workshop on the State of the Art and Future Directions of Intrusion Detection and Response, February 12-13, San Diego, CA, pp. 1-20 -- 1-26.

Protecting Against What? The Achilles Heel of Information Assurance (PDF)
J. Voas
IEEE Software, January 1999.

NetHose: A Tool for Finding Vulnerabilities in Network Stacks (PS / PDF)
A. Ghosh, F. Hill, M. Schmid
Short talk at the 1999 IEEE Security and Privacy Symposium, Oakland, CA, 1999.

Auto-Recoverable Auto-Certifiable Cryptosystems (a survey)
A. Young, M. Yung
CQRE, Springer-Verlag, LNCS, 1999.

Non-Interactive CryptoComputing for NC1
T. Sander, A. Young, M. Yung
40th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, pages 554-566, '99.

Using Assertions to Make Untestable Software More Testable (PS / PDF)
J. Voas, L. Kassab
Software Quality Professional.

Auto-Recoverable Cryptosystems with Faster Initialization and the Escrow Hierarchy
A. Young, M. Yung
Proceedings of Public Key Cryptography (PKC), 1999.

Detecting Anomalous and Unknown Intrusions Against Programs (PS / PDF)
A.K. Ghosh, J. Wanken, F. Charron
Proceedings of Annual Computer Security Applications Conference (ACSAC'98), December 7-11, 1998, Scottsdale, AZ.

Analyzing Software Sensitivity to Human Error (PS / PDF)
J. Voas
Failure and Lessons Learned in Information Technology Management - An International Journal 2(4), December, 1998.

The Software Quality Certification Triangle (PS / PDF / HTML)
J. Voas
Crosstalk, November, 1998.

Wrapping Windows NT Binary Executables for Failure Simulation (PS / PDF)
A.K. Ghosh, M. Schmid
Fast abstract to appear in the International Symposium on Software Reliability Engineering (ISSRE'98), November 4-7, 1998, Paderborn, GE.

Mobile Code Security (HTML)
G. McGraw and E. Felten
Editors, IEEE Internet Computing, November/December 1998.

Will Software Failures Halt the Availablility of Business Insurance? (PS / PDF)
J. Voas
International Symposium on Software Reliability Engineering (ISSRE'98), November 4-7, 1998, Paderborn, GE.

Testing the Robustness of Windows NT Software (PS / PDF)
A.K. Ghosh, M. Schmid, and V. Shah
Experience report to appear in the International Symposium on Software Reliability Engineering (ISSRE'98), November 4-7, 1998, Paderborn, GE.

Automated Software Test Data Generation for Complex Programs (PS / PDF)
G. McGraw and C. Michael
Proceedings of the 13th IEEE Automated Software Engineering Conference, October 13-16, 1998, Honolulu, Hawaii.

Massive Games of Artificial Life on the Internet: A Testbed for Research on Survivability Architectures (Word)
G. McGraw, K. Sullivan
Proceedings of the Information Survivability Workshop, October 28-30 1998, Orlando, FL.

An Approach for Analyzing the Robustness of Windows NT Software (PS / PDF)
A. Ghosh, V. Shah, M. Schmid
Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, p. 383-391. Crystal City, VA.

An Approach for Certifying Security in Software Components (PS / PDF)
A. Ghosh, G. McGraw
Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, Crystal City, VA.

Studying Behavior to Unlock the Truth About Quality
J. Voas
Cutter IT Journal, September, 1998 (Volume 11, Number 9), p. 7-11.

Agent Trustworthiness (PS / PDF)
L. Kassab, J. Voas
Workshop on Mobile Object Systems: Secure Internet Mobile, July, 1998, Brussels, Belgium.

E-Commerce Security: No Silver Bullet
A.K. Ghosh
In Proceedings of the IFIP WG 11.3 Working Conference on Database Security, July 15-17, 1998, Chalkidiki, GR.

Maintaining Component-based Systems (PS / PDF)
J. Voas
IEEE Software, July, 1998.

An Approach to Certifying Off-the-Shelf Software Components (PS / PDF)
J. Voas
IEEE Computer, June, 1998.

Towards Fault-Tolerant Mobile Agents (PS / PDF)
L. Kassab, J. Voas
Workshop on Distributed Computing on the Web, June, 1998, Rostock, Germany.

Defensive Approaches to Testing Systems that Contain COTS and Third-Party Functionality (PS / PDF)
J. Voas
In Proc. of 15th Int'l. Conference and Exposition on Testing Computer Software, June, 1998.

An Automated Approach for Identifying Potential Vulnerabilities in Software (PS / PDF)
A. Ghosh, T. O'Connor, G. McGraw
Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 3-6, 1998, pp. 104-114.

Independent Software Measurement's Role in the Liability Puzzle (PS / PDF)
J. Voas
In the Proceeding of The European Software Measurement Conference Antwerp, Belgium May 1998

Software Certification Laboratories? (PS / PDF)
J. Voas
Crosstalk, April 1998.

A Defensive Approach to Testing Systems that Contain COTS and Third-Party Functionality (PS / PDF)
J. Voas
In the Proceedings AQUIS '98, Venice, April 1998.

Testing for Security During Development: Why we should scrap penetrate-and-patch. (PS / PDF)
G. McGraw
IEEE Aerospace and Electronic Systems, April 1998.

Error Propagation Analysis Studies in a Nuclear Research Code (PDF)
J. Voas, F. Charron, L. Beltracchi
In Proceedings of the 1998 IEEE Aerospace Conference, Snowmass, CO, March 1998.

OTS Software Failures: Can Anything be Done? (PS / PDF)
J. Voas, J. Payne
In Proceedings of the First IEEE Workshop on Application Specific Software Engineering and Technology (ASSET'98), March, 1998, Dallas

COTS: The Economical Choice? (PS)
J. Voas
IEEE Software (Manager Column), March 1998.

Certifying Y2K 'Fixes' (PS / PDF)
J. Voas
Crosstalk, January 1998.

Finding Length-3 Positive Cunningham Chains and their Cryptographic Significance
A. Young, M. Yung
Algorithmic Number Theory III (ANTS), LNCS vol. 1423, 1998.

Auto-Recoverable Auto-Certifiable Cryptosystems
A. Young, M. Yung
Advances in Cryptology, Eurocrypt '98.

Black-Box Symmetric Ciphers Designed for Monopolizing Keys
A. Young, M. Yung
Fast Software Encryption Workshop, 1998.

Reducing Uncertainty About Common-Mode Failures (PS / PDF)
J. Voas, A. Ghosh, F. Charron, L. Kassab
In Proceedings of ISSRE, November 1997.

Genetic Algorithms for Dynamic Test Data Generation (PS / PDF)
C. Michael, G. McGraw, M. Schatz, and C. Walton
In Proceedings of IEEE International Automated Software Engineering Conference (ASE97), November 3-5, 1997.

Simulating Specification Errors and Ambiguities in Systems Employing Diversity (PS / PDF)
J. Voas, L. Kassab
In the Proceedings of 1997 Pacific Northwest Software Quality Conference, October 27-29, 1997.

Building Software Recovery Assertions from Fault Injection Analysis (PS / PDF)
J. Voas
In Proceedings of COMPSAC'97, August 1997, Washington DC.

The Ability of Directed Tests to Predict Software Quality (PS)
C. Michael, J. Voas
In Annals of Software Engineering, August 1997.

Predicting How Badly "Good" Software can Behave (PS)
J. Voas, F. Charron, G. McGraw, E. Miller, M. Friedman
IEEE Software, July 1997.

Can Clean Pipes Produce Dirty Water? (PS / PDF)
J. Voas
IEEE Software (Quality Time Column), July 1997.

Reducing Uncertainty About Common-Mode Failures (PS / PDF)
J. Voas, A. Ghosh, F. Charron, L. Kassab
Submitted to the 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD.

Reusing Tests of Reusable Software Components (PS)
C. Michael
In Proceedings of COMPASS '97, June 1997.

Fault-injection: A Crystal Ball for Software Quality (PS / PDF)
J. Voas, G. McGraw, L. Kassab, L. Voas
IEEE Computer, June 1997, Volume 30, Number 6, pp. 29-36.

On the Uniformity of Error Propagation in Software (PS)
C. Michael and R. Jones
In Proceedings of COMPASS '97, June 1997.

Problems of Accuracy in the Prediction of Software Quality from Directed Tests (PS / PDF)
C. Michael, J. Voas
International Conference on Testing Computer Software, June 1997.

Testing for Security During Development: Why We Should Scrap Penetrate-and-Patch (PS)
G. McGraw
In Proceedings of 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD.

A Few Assertions about Information Hiding (PS / PDF)
J. Voas
IEEE Software (Quality Time Column), March 1997.

Using Evolution Constraints to Assess the Failure-proneness of Evolving Software (PS)
C. Michael
Proceedings of the First Euromicro Working Conference on Software Maintenance and Reengineering (CSMR97), March 17-19, 1997, Berlin, Germany.

Reducing Uncertainty About Survivability (PS / PDF)
J. Voas, G. McGraw, A. Ghosh
Proc. of the 1997 Information Survivability Workshop, February 12-13, 1997, San Diego, CA

Software Fault-injection: Growing 'Safer' Systems (PS / PDF)
J. Voas
In Proc. of IEEE Aerospace Conference, February, 1997, Snowmass, CO.

Encryption Tools for Mobile Agents: Sliding Encryption
A. Young, M. Yung
Fast Software Encryption Workshop.

Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage
A. Young, M. Yung
IEEE Symposium on Security and Privacy, pages 224-235, 1997.

The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems
A. Young, M. Yung
Advances in Cryptology, CRYPTO '97, pages 264-276, Springer, 1997.

On the Use of Process Information in Directed Testing (PS)
C. Michael
Software Quality Engineering '97.

Kleptography: Using Cryptography against Cryptography
A. Young, M. Yung
Advances in Cryptology, Eurocrypt '97, pages 62-74, Springer, 1997.

Software Testability: Investing in Testing (PS / PDF)
J. Voas, K. Miller
Proceedings of EuroStar'96, Amsterdam, December, 1996.

Tolerant Software Interfaces: Can COTS-based Systems be Trusted Without Them? (PS / PDF)
J. Voas, F. Charron, K. Miller
Proceedings of the 15th Int'l. Conference on Computer Safety, Reliability, and Security (SAFECOMP'96), Vienna, October, 1996.

Investigating Rare-Event Failure Tolerance: Reductions in Uncertainty (PS / PDF)
J. Voas, F. Charron, K. Miller
Proceedings of IEEE High-Assurance Systems Engineering Workshop (HASE'96), In conjunection with the 15th Symposium on Reliable Distributed Systems, Niagara-on-the-Lake, Canada, October, 1996.

Glueing Together Software Components: How Good is Your Glue? (PS / PDF)
J. Voas, A. Ghosh, G. McGraw, K.Miller
Proceedings of Pacific Northwest Software Quality Conference, October, 1996.

Automatic Generation of Test-Cases for Software Testing (PS / PDF)
G. McGraw, C. Michael
Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996.

Emergent Letter Perception: Implementing the Role Hypothesis (PS / PDF)
G. McGraw, D. Hofstadter
Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996.

Substituting Voas's Testability Measure for Musa's Fault Exposure Ratio (PS / PDF)
J. Voas, K. Miller
Proceedings of the Int'l. Communications Conference, June, 1996, Dallas, TX.

Untangling the Woven Web: Testing Web-based Software (PS / PDF)
G. McGraw, D. Hovemeyer
Proceedings of the 13th International Conference on Testing Computer Software (ICTCS), June 1996.

Developing Expertise in Software Security: An Outsider's Perspective (PS / PDF)
G. McGraw, A.K. Ghosh
In working notes of the Invitational Workshop on Computer Vulnerability Data Sharing, NIST, June 1996.

Building a Java Software Engineering Tool for Testing Applets (PS / PDF)
A.S. Binns, G. McGraw
Proceedings of the IntraNet 96 NY Conference, April 8-10, 1996, New York City.

The Dark Side of 'Black-Box' Cryptography or: Should We Trust Capstone?
A. Young, M. Yung
Advances in Cryptology, CRYPTO '96, pages 89-103, Springer, 1996.

Testing Software for Characteristics Other than Correctness: Safety, Failure-tolerance, and Security (PS / PDF)
J. Voas
Proceedings of the Int'l. Conf. on Testing Computer Software.

Defining an Adaptive Software Security Metric from a Dynamic Software Failure-tolerance Measure (PS / PDF)
J. Voas, G. McGraw, A.K. Ghosh, F. Charron, K. Miller
Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS'96)

Cryptovirology: Extortion-Based Security Threats and Countermeasures
A. Young, M. Yung
IEEE Symposium on Security and Privacy, pages 129-140, 1996.

Detecting Program Modules with Low Testability (PS)
T.M. Khoshgoftaar, R.M. Szabo, J.M. Voas
Proceedings of ICSM'95, Nice, France, October, 1995.

Fault Injection for Logic Synthesis Design using VHDL (PS / PDF)
T.A. DeLong, A.K. Ghosh, B.W. Johnson, J.A. Profeta, III
Mentor Users' Group Symposium 12th Annual International Conference , October 23-27, 1995, Portland, OR.

An Automated Code-based Fault-tree Mitigation Technique (PS / PDF)
J.Voas, K. Miller
Proceedings of 14th Int'l. Conf. on Computer Safety, Security, and Reliability. Italy, October, 1995.

Using Fault Injection to Assess Software Engineering Standards (PS / PDF)
J. Voas, K. Miller
Proceedings of Int'l. Symp. on Software Engineering Standards, August, 1995.

Procedures for Reducing the Size of Coverage-based Test Sets (PS / PDF)
J. Offutt, J. Pan, J. Voas
Proceedings of 12th Int'l. Conf. on Testing Computer Software. Washington, DC. June, 1995.

Examining Fault-tolerance Using Unlikely Inputs: Turning the Test Distribution Up-side Down (PS / PDF)
J. Voas, K. Miller
Proceedings of COMPASS'95, Gaithersburg, MD June, 1995.

Software Testability Measurement for Assertion Injection and Fault Localization (PS / PDF)
J. Voas
Proceedings of 2nd Int'l. Workshop on Automated and Algorithmic Debugging (AADEBUG'95), St. Malo, France, May, 1995.

Software Testability: The New Verification (PS / PDF)
J. Voas, K. Miller
IEEE Software. May, 1995.

Software Testability: An Experiment in Measuring Simulation Reusability (PS)
J. Voas, J. Payne, R. Mills, J. McManus
Proceedings of ACM Sigsoft (SSR'95), Seattle, April 29-30.

Predicting Software's Minimum-time-to-hazard and Mean-time-to-hazard for Rare Input Events (PS / PDF)
J. Voas, K. Miller
Proceedings of the 6th Int'l. Symp. on Softw. Reliability Engineering, 1995, Publisher: IEEE Computer Society.

Confidently Assessing a Zero Probability of Software Failure (PS)
J. Voas, C. Michael, K. Miller
High Integrity Systems Journal. Oxford University Press. 1(3):269-275, 1995.

Putting Assertions in Their Place (PS)
J. Voas, K. Miller
Proceedings of the Int'l. Symposium on Software Reliability Engineering, November 6-9, 1994, Monterey, CA.

A Comparison of a Dynamic Software Testability Metric to Static Cyclomatic Complexity (PS)
J. Voas, K. Miller, J. Payne
Proceedings of 2nd Int'l. Conf. on Software Quality Management, July, 1994, Edinburgh, Scotland, Publisher: Computational Mechanics Publications.

Formal Testability Analysis (PS)
J. Voas
In the Encyclopedia of Software Engineering, John Wiley & Sons, pp.517--518, 1994.

Dynamic Testability Analysis for Assessing Fault Tolerance (PS)
J. Voas, K. Miller
High Integrity Systems Journal. 1(2):171-178, 1994, Oxford University Press.

An Empirical Comparison of a Dynamic Software Testability Metric to Static Cyclomatic Complexity (PS / PDF)
J. Voas, K. Miller, J. Payne
Proceedings of the 18th Annual Software Engineering Workshop, December, 1993, NASA-Goddard Software Engineering Laboratory Series Report 93-003.

Confidently Assessing a Zero Probability of Software Failure (PS)
J. Voas, C. Michael, K. Miller
Proceedings of the 12th Int'l. Conf. on Computer Safety, Reliability, and Security , October, 1993, pp. 197-206, Poznan, Poland. Publisher: Springer-Verlag, ISBN 3-540-19838-5.

Software Testability and Its Application to Avionic Software (PS)
J. Voas, K. Miller, J. Payne
Proceedings of Computers in Aerospace 9, October, 1993, San Diego, CA. Publisher: AIAA.

Dynamic Testability Analysis for Software Safety (PS)
J. Voas, K. Miller, J. Payne
Proceedings of the 2nd IASTED Int'l. Conf. on Reliability, Quality Control and Risk Assessment, October, 1993, Cambridge, MA, Publisher: IASTED-ACTA Press, ISBN: 0-88986-181-1.

Automating Test Case Generation for Coverages Required by FAA Standard DO-178B (PS)
J. Voas, K. Miller, J. Payne
Proceedings of Computers in Aerospace 9, October, 1993, San Diego, CA. Publisher: AIAA.

A Software Analysis Technique for Quantifying Reliability in High-Risk Medical Devices (PS / PDF)
J. Voas, K. Miller, J. Payne
Proceedings of the 6th IEEE Symposium on Computer-Based Medical Systems, June, 1993, Ann Arbor, MI.

Faults on Its Sleeve: Amplifying Software Reliability Testing (PS / PDF)
R. Hamlet, J. Voas
Proceedings of the ACM SIGSOFT Int'l. Symposium on Software Testing and Analysis, June, 1993, Cambridge, MA, Publisher: ACM.

Semantic Metrics for Software Testability (PS)
J. Voas, K. Miller
The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:207-216, March, 1993.

A Framework for Defining Semantic Metrics (PS)
L. Morell, J. Voas
The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:245-251, March, 1993.

Applying a Dynamic Testability Technique to Debugging Certain Classes of Software Faults (PS / PDF)
J. Voas, K. Miller
Software Quality Journal, Chapman & Hall, March, 1993, p. 61-75.

Designing Programs That are Less Likely to Hide Faults (PS / PDF)
J. Voas, K. Miller, J. Payne
The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:93-100, January, 1993.

A Model for Detecting the Existence of Software Corruption in Real Time (PS / PDF)
J. Voas, J. Payne, F. Cohen
Computers and Security J., 11(8), Elsevier Science Publishers Ltd. 1993.

A Model for Assessing the Liability of Seemingly Correct Software (PS / PDF)
J. Voas, L. Voas, K. Miller
Proceedings of the IASTED Int'l. Conf. on Reliability, Quality Control and Risk Assessment, p. 32--35, November, 1992, Washington, D.C, Publisher: IASTED-ACTA Press, ISBN: 0-88986-171-4.

Improving the Software Development Process Using Testability Research (PS / PDF)
J. Voas, K. Miller
Proceedings of the 3rd Int'l. Symp. on Softw. Reliability Engineering , p. 114--121, October, 1992, RTP, NC, Publisher: IEEE Computer Society.

Designing Programs that do not Hide Data State Errors During Random Black-Box Testing (PS)
J. Voas, K. Miller, R. Noonan
Proceedings of the 5th Int'l. Conf. on Putting Into Practice Methods and Tools for Information System Design, September, 1992, Nantes, France.

PIE: A Dynamic Failure-Based Technique (PS / PDF)
J. Voas
IEEE Trans. on Softw. Eng., 18(8):717--727, August, 1992.

Dynamic Testing Complexity Metric (PS / PDF)
J. Voas
Software Quality Journal, 1(2):101--114, Chapman & Hall, June, 1992.

PISCES: A Tool for Predicting Software Testability (PS / PDF)
J. Voas, K. Miller, J. Payne
Proceedings of the Symp. on Assessment of Quality Software Development Tools, May, 1992, p. 297-309, New Orleans, LA, IEEE Computer Society, ISBN: 0-8186-2620-8.

The Revealing Power of a Test Case (PS / PDF)
J. Voas, K. Miller
Journal of Software Testing, Verification, and Reliability, John Wiley and Sons, 2(1):25-42, May, 1992.

Estimating the Probability of Failure when Testing Reveals No Failures (PS)
K. Miller, L. Morell, R. Noonan, S. Park, D. Nicol, B. Murrill, J. Voas
IEEE Trans. on Software Engineering, 18(1):33-44, Jan. 1992.

Factors that Affect Software Testability (PS / PDF)
J. Voas
Proceedings of the 9th Pacific Northwest Softw. Quality Conf., p. 235--247, October, 1991, Portland, OR. Publisher: Pacific Northwest Software Quality Conference, Inc.

A Dynamic Failure Model for Predicting the Impact that a Program Location has on the Program (PS / PDF)
J. Voas
Lecture Notes in Computer Science Series, Vol. 550: Proc. of the 3rd European Softw. Eng. Conf., p. 308--331, October, 1991, Italy, Publisher: Springer-Verlag, A. Van Lamsweerde and A. Fugetta (Eds.).

Predicting Where Faults Can Hide From Testing (PS / PDF)
J. Voas, L. Morell, K. Miller
IEEE Software, 8(2):41--47, March 1991.

About Cigital

• About Cigital
• Our Team
• Investors
• Partners
• Affiliations
• Careers
• Labs
• Contact Us

Cigital Labs

• Cigital Labs
• Projects
• Publications

Contact  Careers  Account  Privacy