Search CSRC

Full Workshop Details The Election Assistance Commission (EAC), Federal Voting Assistance Program (FVAP) of the Department of Defense, and NIST sponsored a workshop to explore the technical issues associated with remote electronic absentee voting systems for military and overseas voters. UOCAVA is the Uniformed and Overseas Citizens Absentee Voting Act. The sponsoring organizations seek to understand: Desired/required functional properties of UOCAVA remote voting systems Advantages and disadvantages of different UOCAVA remote voting system architectures Ways to express and compare...

Full Workshop Details The Election Assistance Commission (EAC) and NIST sponsored a two-and-a-half day symposium to explore emerging trends in voting system technology with the diverse election community at large. The sponsoring organizations seek to have lively discussion on the following topics: Why some jurisdictions are exploring building their own voting systems Trends in voting system technology acquisition and deployment plans How election officials, manufactures and academics view the future of voting system technologies Alternative standard development processes for voting...

On October 13-14, NIST sponsored an End-to-End Voting System Workshop designed to bring together researchers in cryptography, security, and usability and election practitioners including election officials and voting system manufacturers to explore the security and usability properties of this type of innovative voting system. Keynote talks described the fundamental notation of end-to-end voting systems and a State and election official’s perspective on innovative voting systems. A tutorial on how end-to-end voting systems work provided a common background for the workshop participants. A...

32nd Annual Conference Innovations in Cybersecurity Awareness and Training: A 360 Degree Perspective FISSEA is a forum for Federal Information Security Educators to share information, effective practices, and solutions regarding cybersecurity awareness, training, and industry-recognized certifications for the federal cybersecurity workforce. The 32nd Annual Conference was held on June 27th and 28th, 2019 at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. The Conference theme is Innovations in Cybersecurity Awareness and Training: A 360 Degree...

Access control systems are among the most critical security components. Faulty policies, misconfigurations, or flaws in software implementation can result in serious vulnerabilities. The specification of access control policies is often a challenging problem. Often a system’s privacy and security are compromised due to the misconfiguration of access control policies instead of the failure of cryptographic primitives or protocols. This problem becomes increasingly severe as software systems become more and more complex and are deployed to manage a large amount of sensitive information and...

Combinatorial testing is being applied successfully in nearly every industry, and is especially valuable for assurance of high-risk software with safety or security concerns. Combinatorial testing is referred to as effectively exhaustive, or pseudo-exhaustive, because it can be as effective as fully exhaustive testing, while reducing test set size by 20X to more than 100X. Case studies below are from many types of applications, including aerospace, automotive, autonomous systems, cybersecurity, financial systems, video games, industrial controls, telecommunications, web applications, and...

Self-driving cars and autonomous systems of all types are notoriously difficult challenges for software assurance. Both traditional testing and formal methods are even harder to apply for autonomous systems than in ordinary cases. The key problem is that these systems must be able to function correctly in a vast space of possible input conditions. For example, autonomous vehicles must deal with lighting, rain, fog, pedestrians, animals, other vehicles, road markings, signs, etc. Combinatorial methods are uniquely well suited to analysis and testing for this enormous input space, because by...

This research grew out of our 2001 paper on failures in medical device software, which found that the failures were triggered by only 1 to 4 variables interacting. Surprisingly, although "pairwise" testing had been popular for many years, no one had looked at the actual distribution of failures by number of interacting factors. We continued this work and published other papers finding that all, or nearly all, software failures involve interactions among a small number of variables, no more than 6, in thousands of failure reports. Below are some of our research areas. If you'd like to find out...

Papers Covering Array Library Seminars & Talks & Tutorial Combinatorial Methods For Modeling & Simulation Workshop Papers DOs and DON'Ts of testing

POSTED November 30, 2007: NIST Interagency Report 7452: Secure Biometric Match-on-Card Feasibility Report (NIST IR 7452) NIST is pleased to announce the release of NIST Interagency Report 7452, Secure Biometric Match-on-Card Feasibility Report. NIST conducted the feasibility study to understand the effects of combining asymmetric cryptography with Biometric Match-on-Card. The report describes the tests that were conducted to obtain timing metrics for the SBMOC transaction and provides a summary of the test results. POSTED October 4, 2007: Draft Special Publication 800-73-2, Interfaces...

Fundamental background papers: Empirical justification for combinatorial testing: D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., Software Fault Interactions and Implications for Software Testing, IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.Abstract; DOI: 10.1109/TSE.2004.24 Preprint. Comment: Investigates interaction level required to trigger faults in a large distributed database system. IPOG algorithm used in construction of covering arrays: Y.Lei, R. Kacker, D.R. Kuhn, V. Okun and J. Lawrence, IPOG: a General Strategy for T-way Software Testing, 14th...

Quick introductions to Combinatorial Testing: Practical Applications of Combinatorial Testing, East Carolina University, March 22, 2012. Combinatorial Testing and Design of Experiments, TU Berlin, June 28, 2011. Combinatorial Testing, Institute for Defense Analyses, April 6, 2011. (approx. 2 hours) Combinatorial Testing Seminar, US Army Test & Evaluation Command, Aberdeen Proving Ground, May 17, 2010. (approx. 3 hours). Combinatorial Testing, Carnegie-Mellon University Jan 26, 2010. (approx. 60 min.) Combinatorial Testing Tutorial, National Defense Industrial Association, Reston, VA,...

AES Overview | NIST Reports | Federal Register Notices | Rijndael Info | Related Publications AES Overview Beginning in 1997, NIST worked with industry and the cryptographic community to develop an Advanced Encryption Standard (AES). The overall goal was to develop a Federal Information Processing Standard (FIPS) specifying an encryption algorithm capable of protecting sensitive government information well into the 21st century. The algorithm was expected to be used by the U.S. Government and, on a voluntary basis, by the private sector. On January 2, 1997, NIST announced the initiation of...

Authentication mechanisms such as passwords and multi-factor authentication methods (e.g., smart cards and tokens) provide examples of the challenges involved in creating usable cybersecurity solutions. Our research explores the usage and usability of authentication mechanisms. We focus on how these mechanisms can be improved to aid in their correct, secure employment by different user populations while avoiding user frustration and circumvention. Also see our Youth Security & Privacy research area for publications related to youth passwords. Publications Digital Identity Guidelines...

In this new research area, we will be investigating election officials' needs, current challenges, and constraints related to election technology with the potential of increasing voter trust and confidence in election outcomes. Our exploration will be at the intersection of cybersecurity, usability, and accessibility. Stay tuned for more information as we progress in this effort.

Journal: Software Engineering Journal Abstract: The paper describes a method for providing improved prototyping capabilities in a process control system emulation tool. The tool, the NIST Hierarchical Control System Emulator, allows concurrent execution of modules emulating both physical processes and decision processes. The concurrent modules ar...

Abstract: High-performance computing (HPC) is a vital computational infrastructure for processing large data volumes, performing complex simulations, and conducting advanced machine learning model training. As such, HPC is a critical component of scientific discovery, innovation, and economic competitiveness....

Abstract: Access control policy verification ensures that there are no faults within the policy that leak or block access privileges. As a software test, access control policy verification relies on methods such as model proof, data structure, system simulation, and test oracle to verify that the policy logic...

Abstract: Structural coverage criteria are widely used tools in software engineering, useful for measuring aspects of test execution thoroughness. However in many cases structural coverage may not be applicable, either because source code is not available, or because processing is based on neural networks or...

Abstract: The selfish mining attack allows cryptocurrency miners to mine more than their "fair share" of blocks, stealing revenue from other miners while reducing the overall security of payments. This malicious strategy has been extensively studied in Bitcoin, but far less attention has been paid to how the...

Conference: Fourteenth International Conference on Software Engineering Advances (ICSEA 2019) Abstract: In this work, we investigate how the governance features of a managed currency (e.g., a fiat currency) can be built into a cryptocurrency in order to leverage potential benefits found in the use of blockchain technology and smart contracts. The resulting managed cryptocurrency can increase transpare...

Journal: Computer Communications Abstract: Diversity as a security mechanism is receiving renewed interest due to its potential for improving the resilience of software and networks against previously unknown attacks. Recent works show diversity can be modeled and quantified as a security metric at the network level. However, such efforts do...

Conference: IEEE VLSI Test Symposium 2019 Abstract: Power side-channel attacks (SCAs) have become a major concern to the security community due to their noninvasive feature, low-cost, and effectiveness in extracting secret information from hardware implementation of crypto algorithms. Therefore, it is imperative to evaluate if the hardware is vulnera...

Conference: IFIP Annual Conference on Data and Applications Security and Privacy Abstract: As today’s cloud providers strive to attract customers with better services and less downtime in a highly competitive market, they increasingly rely on remote administrators including those from third party providers for fulfilling regular maintenance tasks. In such a scenario, the privileges grante...

Journal: Journal of Computer Security Abstract: The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-known...