I-Corps: OSSPolice

I军团：OSS警察

• 批准号: 1851927
• 负责人: Umakishore Ramachandran
• 金额: $ 5万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-11-01 至 2020-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1851927&HistoricalAwards=false
• 关键词: Corps; OSSPolice

This technology will help mobile app developers do their due diligence and easily scan their apps for any legal and security issues, thereby not only protecting their brand, but also ensuring the security and privacy of end users. The technology also preserves the open-source software ecosystem, by enabling mobile app developers to proactively scan their app and identifying any inadvertent open-source license violations. Based on the reported results, app developers can either comply with the licensing terms of the software being used or switch over to a more permissive Open-Source Software (OSS).App stores are quickly getting crowded, with currently over 6 million apps. Therefore, app developers often rely on Open-Source Software (OSS) to reduce the development cost and quickly bring their apps to market. Unfortunately, careless use of OSS can introduce severe legal and security risks. If ignored, such risks can not only jeopardize the security and privacy of end users, but also cause high financial losses to businesses owning such apps and damage their brand. However, tracking all OSS components, their versions, and inter-dependencies can be tedious and error-prone, particularly if the OSS is imported with little to no knowledge of its provenance. This problem is exacerbated by the esoteric licensing terms of these OSS, as developers may lack awareness about the legal ramifications of their use. The PI's research team has built a fully-automated software system that analyzes mobile app binaries to detect usage of all Open-Source Software (OSS) components being used, and report associated security and legal risks.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

这项技术将帮助移动的应用程序开发人员进行尽职调查，轻松扫描其应用程序中的任何法律的和安全问题，从而不仅保护其品牌，还确保最终用户的安全和隐私。该技术还保护了开源软件生态系统，使移动的应用程序开发人员能够主动扫描他们的应用程序，并识别任何无意中违反开源许可证的行为。根据报告的结果，应用程序开发人员可以遵守正在使用的软件的许可条款，或者切换到更宽松的开源软件（OSS）。应用程序商店正在迅速变得拥挤，目前有超过600万个应用程序。因此，应用程序开发人员通常依赖开源软件（OSS）来降低开发成本并快速将其应用程序推向市场。不幸的是，不小心使用OSS会带来严重的法律的和安全风险。如果被忽视，这些风险不仅会危及最终用户的安全和隐私，还会给拥有这些应用程序的企业造成巨大的经济损失，并损害他们的品牌。然而，跟踪所有OSS组件、它们的版本和相互依赖性可能是繁琐且容易出错的，特别是如果OSS是在几乎不知道其出处的情况下导入的。由于这些开放源码软件的许可证条款晦涩难懂，开发人员可能缺乏对其使用的法律的后果的认识，这一问题更加严重。PI的研究团队建立了一个全自动的软件系统，分析移动的应用程序二进制文件，以检测正在使用的所有开源软件（OSS）组件的使用情况，并报告相关的安全和法律的风险。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。