Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

协作提案：SaTC：前沿：实现安全可信的软件供应链

• 批准号: 2206859
• 负责人: Christian Kastner
• 金额: $ 86.48万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2027-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2206859&HistoricalAwards=false
• 关键词: Collaborative; Proposal; SaTC; Frontiers; Enabling

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines. This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The project’s novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners. The project’s broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security. S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代世界几乎每一项人类工作都依赖于软件，一个典型的软件产品包括80%的开源组件。攻击者发现并利用意外注入的安全漏洞，并日益咄咄逼人地将漏洞或恶意代码直接植入软件供应链--开源软件及其构建和部署管道。这个Frontiers项目建立了安全软件供应链中心(S3C2)，这是一个大规模的、多机构的努力，旨在通过在软件供应链利益相关者之间的人类行为背景下开发科学原则、协同工具、指标和模型来帮助软件行业重新建立对软件供应链的信任。该项目的新颖性包括通过研究和推广计划，包括本科生暑期研究体验(REU)、夏令营和为本科生、研究生和实践者开发课程模块，为接受安全软件供应链方法培训的多样化劳动力做出贡献。该项目更广泛的意义和重要性在于，S3C2将促进快速创新，增强对软件供应链安全的信心。S3C2专注于两个供应链攻击矢量的相互关联的研究推力：(1)上游依赖关系和(2)持续集成/持续部署(CI/CD)管道中的构建过程。第一推力专注于开发工具和技术，以帮助实践者应对上游依赖的风险。它通过识别漏洞的可利用性和对攻击面的更改来增强软件材料清单(SBoM)的效用，并在可能打补丁之前隔离风险代码作为权宜之计。第二个重点是开发工具和技术来帮助实践者应对构建过程的风险。它通过分析CI/CD配置和帮助开发商实现可复制建筑的技术，为建筑完整性提供强有力的保证。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。