SaTC: TTP: Medium: Securing Python's Software Supply Chain

SaTC：TTP：中：保护 Python 的软件供应链

• 批准号: 2054692
• 负责人: Justin Cappos
• 金额: $ 80万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-01 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2054692&HistoricalAwards=false
• 关键词: SaTC; TTP; Medium; Securing; Python

Creating and distributing software written in Python, in a secure manner, is surprisingly difficult. And as many recent incidents demonstrate, the security of this software chain is dramatically vulnerable. Right now, in nearly all Python packaging and distribution tools, there are no mechanisms in place for someone who downloads software to understand whether a malicious party has not inserted or removed code, or if the code was even written by the right developers! This work will for the first time capture metadata about the steps of the Python software supply chain systematically. This project will carry information between the steps of the chain in a way that an external party can verify author signing and repository signing of packages. This project will also be breaking ground for researchers and developers who want to improve how other interpreted languages handle managing dependencies. The project's impacts are particularly strong in academia, science, and industry, where Python is the most widely used programming language; millions of users will be more protected against a variety of attacks.This project transitions two security mechanisms -- backtracking dependency resolution and The Update Framework (TUF) -- into practical use in the core Python infrastructure. Backtracking dependency resolution ensures that users get understandable package dependency installation, even in the face of attacks or missing metadata. TUF ensures that even a compromise of the major package infrastructure will have severely limited impact on clients. Together, the resolver and TUF work will ensure that important research transitions into substantial security improvements for all Python software, and will positively impact millions of developers and many more users.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

以安全的方式创建和分发用Python编写的软件是非常困难的。正如最近的许多事件所表明的那样，这个软件链的安全性非常脆弱。现在，几乎所有的Python打包和分发工具都没有机制让下载软件的人了解恶意方是否插入或删除了代码，或者代码是否由正确的开发人员编写！这项工作将首次系统地捕获有关Python软件供应链步骤的元数据。该项目将在链的步骤之间传递信息，外部方可以验证软件包的作者签名和存储库签名。 这个项目也将为那些希望改进其他解释语言处理管理依赖关系的研究人员和开发人员开辟道路。该项目的影响在学术界、科学界和工业界尤其强烈，Python是最广泛使用的编程语言;数百万用户将得到更好的保护，免受各种攻击。该项目将两种安全机制--回溯依赖解析和更新框架（TUF）--在核心Python基础设施中投入实际使用。回溯依赖项解析确保用户获得可理解的包依赖项安装，即使面对攻击或缺少元数据。TUF确保即使主要包基础设施的妥协也会对客户产生非常有限的影响。解析器和TUF的工作将共同确保重要的研究转化为所有Python软件的实质性安全改进，并将对数百万开发人员和更多用户产生积极影响。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响评审标准进行评估，被认为值得支持。