A-CERT (Advancing Certification Evidence, Rigor, and Traceability)

A-CERT (Advancing Certification Evidence, Rigor, and Traceability) toolchain for automatic collection of evidence to support automated construction of assurance arguments for high-confidence software. A-CERT enables assurance of legacy systems as well as systems that make use of legacy and COTS components. A-CERT analyzes system implementation and documentation to infer the actual system architecture and map it against the intended system design, available as, e.g., a SysML model. This mapping exposes potential discrepancies between the implementation and design, e.g., missing functionality (e.g., unmet requirements and missing security controls) or extra functionality (e.g., backdoors intentionally introduced by the hackers or benign, but unneeded features that extend attack surface). It also enables a better assessment of implementation quality: low-level implementation weaknesses and structural code coverage are tracked to the high-level system modules they affect allowing analysts to better assess their safety and security implications. A-CERT toolchain comprises several tools to analyze, process, and collect different types of certification evidence. Collectively, these tools aim to generate high quality assurance evidence for legacy and COTS systems (we assume the absence of source code or, at least, of buildable source code). The tools can also be used individually to provide useful automation of traditionally labor-intensive tasks for preparing various types of artifacts for reasoning about and understanding the target software.