Focused workshops are important in evolving software development technologies to better meet the needs of the Ada community, particularly regarding Reliable and Secure Systems. Workshops are free for those registered for the conference. The following workshops are currently planned for SIGAda 2007.

• GNAT BoF: Where Would You Like To See GNAT Go?, Robert Dewar
  Wednesday, November 7, 7:00-8:30 PM

  This BOF will discuss future directions for the GNAT technology, including both the GAP and Pro versions. We at AdaCore will give some of our thoughts on interesting future possibilities, but mostly we would like to hear from the user community, so we see this session as an open discussion of interesting ideas for the future. This is a chance for you to say what you want, and have your ideas discussed!

• Hibachi - the Eclipse Ada Development Toolset, Tom Grosman
  Wednesday, November 7, 8:30-10:00pm

  Hibachi is an open source (EPL), standard, extensible, vendor-neutral Eclipse Ada development environment. Hibachi has recently been voted upon and approved by the Eclipse Management Organization and is now an official Eclipse Project. Earlier, it had been in the project proposal phase (see http://www.eclipse.org/projects/dev_process/development_process.php), which involves gathering a viable developer/tester/user community around the project and IP rights to any code contributions. Now that these pieces are in place, the project, now approved by the Eclipse Management Organization (EMO), can begin producing high quality releases available to end users, as well as third party integrators.

  As Hibachi project lead, Mr. Grosman has been in touch with the major active Ada development environment vendors (ACT, Aonix, DDC-I, GHS) and they have all expressed interest and a desire to commit resources to making Hibachi a success. In addition, gnuada development team members have also expressed support for Hibachi and a willingness to participate. Mr. Grosman is also in contact with several Universities who will be contributing engineering effort as part of their curricula (master theses), as well as some major industrial partners who are large scale users of Ada and who have expressed interest in contributing development and/or financial resources. Aonix has offered to contribute the source for its Eclipse plugin, AonixADT as a code base for Hibachi. AonixADT currently supports ObjectAda as well as GNAT/gnuada development. Contributions of existing code from other sources are also a possibility depending on the willingness of other potential contributors. Because of these factors, and the encouragement of the Hibachi project mentor Doug Schaefer, CDT project lead, Mr. Grosman has every expectation that the Hibachi proposal will be accepted and that we will be able to produce a plugin with features as outlined in the Hibachi Proposal- http://www.eclipse.org/proposals/adt/. The development plan outlined in the Hibachi proposal indicates that a first useable release of Hibachi will be available in time for SIGAda in November.

  Given this context, Mr. Grosman proposes that the Hibachi workshop be divided into 3 parts:

  1. History (Of interest especially to those just becoming acquainted with Hibachi or Eclipse)
     1. A brief overview of the Eclipse framework
     2. Hibachi projects goals
     3. The Eclipse development process
     4. The scope and area of application of Hibachi
  2. Current Status
     1. Overview of the current release
        1. Features
        2. Functionalities
        3. Architectural overview
     2. Overview of the development resources in place
        1. Committers
        2. Contributors
        3. Testing/QA procedures
        4. Bug reporting and resolution
  3. Future Direction
     1. The latest development plan
     2. Features for future releases
     3. Improvements to the current development process/development environment
     4. Increasing the adoption of Hibachi within the Ada community
     5. Relationships between Hibachi and other relevant Eclipse projects (for example modeling plugins, the DSDP debugger project, etc).

  The result of the discussions that take place during Part 3 (Future Direction) will serve as input to the ongoing Hibachi project development and release plan.

  Mr. Grosman will be the workshop coordinator. Since many of the potential Hibachi contributors will be attending SIGAda, he should be able to arrange a co-coordinator should it become necessary. The workshop will be of interest to:

  1. Current and potential future contributors to the Hibachi project (developers and testers)
  2. Third party integrators (People/companies who have produce Ada static analysis tools, testing tools, in-house Coding Standard tools, etc.)
  3. Industrial users of Ada who want to use Eclipse as a portable extensible, multi-language development platform, or who use Ada products from more than one vendor on various projects and are interested in having a single best-of-breed interface regardless of the underlying Ada tools set chosen.

  Eclipse (see http://www.eclipse.org/proposals/adt/) Hibachi Project Lead

• NIST Static Analysis Workshop, Paul Black
  Thursday, November 8, 12:30-5:30pm; Friday, November 9, 8:30am-12:30pm

  Funded by the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST) started a long-term, ambitious project to identify, enhance and develop software assurance tools. The Software Assurance Metrics And Tool Evaluation (SAMATE) project is leading in (A) developing test for software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. See our web site at http://samate.nist.gov/index.php/SASII

  Issue To Be Addressed

  Source code security analyzers to find weakness and potential problems are quite capable and developing quickly. Yet, developers, auditors, and examiners could use far more. The problem is to clearly define the biggest obstacles to these urgently needed capabilities and try to identify feasible approaches to overcoming them, either engineering ("solved" problems) or research.

  To that end, we pose a number of questions:

  • How can embedded or non-standard systems be analyzed? For instance, SCADA systems, which run our power, water, communication, and other critical national infrastructure.
  • Binaries are not handled, yet, are important for 3rd party validation, COTS, legacy systems, contract work, and getting by without a trusted compiler.
  • Obfuscation - who will win? Malware writers use obfuscation to disguise their programs and hide their exploits and behavior. Good guys need powerful analysis to crack the malware quickly. Good guys also use obfuscation to protect intellectual property, and in military application, hinder enemies from figuring out weapon systems (remember the Death Star?). They *don't* want the bad guys to be able to crack their techniques. So will the obfuscators or the analysts win? Why?
  • What formal pattern language could we use to describe vulnerabilities? Most static analyzers have some means for the user to specify what code to search for. Unfortunately every analyzer has different means. Significant resources are going into writing a public library of security weaknesses (see cwe.mitre.org). Formally describing a pattern is very tedious. It would be nice if different tools and processes could share patterns. The community should discuss what form of language or specification makes the most sense.
  • Higher level function extraction Static analyzers are ok looking for specific patterns, but in some cases we want an analyzer to summarize the behavior in higher level abstractions, like sorting or encoding a message. What can be done? Where is it most beneficial? What are the approaches?
  • "You'll Never Walk Alone" (strains of Rogers and Hammerstein) Static analyzers do a LOT of work to produce their result, for instance, data and control flow graphs. Yet the work is generally not available, to other tools or even to the same tool on subsequent runs. Can we define useful information (and representations) to share with other tools to build assurance cases? Could we speed up or improve analysis with certificates or hints from early stages? Could we hook the output to the input and get useful incremental analysis? Are concepts like proof-carrying code helpful?

  This workshop follows an August 2005 workshop to define the state of the art in software security tools: http://samate.nist.gov/softSecToolsSOA and a November 2005 workshop on software security assurance tools, techniques, and metrics: http://samate.nist.gov/index.php/SSATTM

  Format

  The two-day workshop will have a combination format. The first day is paper presentations and a panel session followed by guided discussion. The second day has some additional paper presentations, another panel, and two sessions of guided discussion.

  Audience

  The target is a mix of academics, developers, and government and industrial users of SA tools with an expected attendance of 50 to 75.

  Criteria for Participant Selection

  All papers submitted by the deadline will be made anonymous (identifying cover sheets detached) and read and scored by at least two reviewers. The program committee will use the reviewers' recommendations to select papers. Authors of selected papers are one pool of participants.

  Another pool of participants are selected by submitting a position statement. Organizers are looking for experienced developers and researchers, and users of static analysis.

  Extended Workshop Publicity Strategy

  Email announcement and call for papers to

  • Usenet news groups
  • SAMATE email group (about 200 in industry, academia, and government)
  • NIST Technicalendar (readership about 3,000)

  Announce at HCSS Coordinating Group http://www.nitrd.gov/subcommittee/hcss.html

Additional workshops or Birds-of-a-Feather (BoF) sessions are welcome. Workshops have a focused objective and result in a report to be published in Ada Letters. BoFs are informal discussion groups. If you would like to propose a Workshop or BoF, please contact the Workshops Chair, Bill Thomas, BThomas at MITRE.Org