Security Experts:

NIST Tool Finds Errors in Complex Safety-Critical Software

The U.S. National Institute of Standards and Technology (NIST) this week announced that updates to its Automated Combinatorial Testing for Software (ACTS) research toolkit should help developers of complex safety-critical applications find potentially dangerous errors and make their software safer.

ACTS is designed to help developers ensure that their products are safe from simultaneous input combinations that could trigger a dangerous error. A software error can have serious consequences in the case of safety-critical applications, such as the ones present in cars, aircraft and nuclear power plants.

The problem is that it’s difficult to conduct thorough testing in the case of very large systems. However, researchers from NIST -- in collaboration with the University of Texas at Arlington, Adobe, and SBA Research, the research center for information security in Austria -- have found a way to properly test even software that has thousands of input variables.

Their findings have been implemented in the ACTS toolset through an updated version of the Combinatorial Coverage Measurement (CCM) tool. The improvements should help developers not only improve safety, but also reduce development costs. Ensuring that safety-critical software is reliable can cost 7-20 times more than in the case of conventional software, NIST said.

“Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly,” explained NIST mathematician Raghu Kacker. “That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it’s not just highly configurable, it’s also life critical. People’s lives and health are depending on it.”

The agency’s tools could until now handle a few hundred input variables, but a tool developed by SBA Research enables organizations to test software with up to 2,000 inputs. NIST said these two systems complement each other.

While the SBA algorithm has yet to be officially added to the ACTS toolset, developers can request it from NIST.

Related: NIST Working on Global IoT Cybersecurity Standards

Related: NIST Small Business Cybersecurity Act Becomes Law

Related: NIST to Withdraw 11 Outdated Cybersecurity Publications

Related: NIST's New Advice on Medical IoT Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.