Securely Taking On New Executable Software of Uncertain Provenance


STONESOUP develops and demonstrates comprehensive, automated techniques that allow end users to securely execute software without basing risk mitigations on characteristics of provenance that have a dubious relationship to security. Existing techniques to find and remove software vulnerabilities are costly, labor-intensive, and time-consuming. Many risk management decisions are therefore based on qualitative and subjective assessments of the software suppliers' trustworthiness. STONESOUP develops software analysis, confinement, and diversification techniques so that non-experts can transform questionable software into more secure versions without changing the behavior of the programs.

Related Publications

Columbia University MINESTRONE

Kestrel Institute VIBRANCE

Test and evaluation data and reports are available at the NIST SAMATE website.

To access additional STONESOUP program-related publications, please visit Google Scholar.


Contact Information

Program Manager

Main Office

Related Program(s)

Broad Agency Announcement (BAA)

Link(s) to BAA


Solicitation Status


BAA Release Date

September 16, 2009

BAA Question Period

September 16, 2009 — October 19, 2009

Proposal Due Date

November 2, 2009

Prime Performers

  • Columbia University
  • GrammaTech, Inc.
  • Kestrel Institute
  • Leidos, Inc.
  • University of Illinois, Urbana-Champaign

Additional Information