Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

协作提案:SaTC:前沿:实现安全可信的软件供应链

基本信息

  • 批准号:
    2207008
  • 负责人:
  • 金额:
    $ 634.45万
  • 依托单位:
  • 依托单位国家:
    美国
  • 项目类别:
    Continuing Grant
  • 财政年份:
    2022
  • 资助国家:
    美国
  • 起止时间:
    2022-10-01 至 2027-09-30
  • 项目状态:
    未结题

项目摘要

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines. This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The project’s novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners. The project’s broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security. S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
现代世界几乎所有人类奋进都依赖于软件,典型的软件产品包含80%的开源组件。攻击者发现并利用意外注入的安全漏洞,并越来越多地将漏洞或恶意代码直接植入软件供应链-开源软件及其构建和部署管道。这个前沿项目建立了安全软件供应链中心(S3 C2),这是一个大规模的多机构努力,旨在帮助软件行业通过开发科学原则,协同工具,度量和模型,在软件供应链利益相关者之间的人类行为的背景下,重新建立对软件供应链的信任。该项目的新颖之处包括通过研究和推广活动,包括本科生暑期研究经验(REU),夏令营以及为本科生,研究生和从业人员开发课程模块,对接受安全软件供应链方法培训的多元化劳动力做出贡献。该项目更广泛的意义和重要性是S3 C2将促进快速创新,提高对软件供应链安全的信心。S3 C2专注于两个供应链攻击向量的相互关联的研究重点:(1)上游依赖关系和(2)持续集成/持续部署(CI/CD)管道背景下的构建过程。Thrust One专注于开发工具和技术,以帮助从业者应对上游依赖的风险。它通过识别漏洞的可利用性和对攻击面的更改来增强软件物料清单(SBoM)的实用性,并在修补之前隔离风险代码作为权宜之计。第二个重点是开发工具和技术,以帮助实践者应对构建过程的风险。它通过分析CI/CD配置和技术来帮助开发人员实现可复制的构建,从而为构建完整性提供强有力的保证。该奖项反映了NSF的法定使命,并通过使用基金会的知识价值和更广泛的影响审查标准进行评估,被认为值得支持。

项目成果

期刊论文数量(2)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis
It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security
  • DOI:
    10.1109/sp46215.2023.10179320
  • 发表时间:
    2023-05
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Marcel Fourné;Dominik Wermke;W. Enck;S. Fahl;Y. Acar
  • 通讯作者:
    Marcel Fourné;Dominik Wermke;W. Enck;S. Fahl;Y. Acar
{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

数据更新时间:{{ journalArticles.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ monograph.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ sciAawards.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ conferencePapers.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ patent.updateTime }}

Laurie Williams其他文献

Allergen Removal and Transfer with Wiping and Cleaning Methods Used in Retail and Food Service Establishments
  • DOI:
    10.4315/jfp-20-025
  • 发表时间:
    2020-07-01
  • 期刊:
  • 影响因子:
  • 作者:
    Binaifer Bedford;Girvin Liggans;Laurie Williams;Lauren Jackson
  • 通讯作者:
    Lauren Jackson
Regression Test Selection for Black-box Dynamic Link Library Components
黑盒动态链接库组件的回归测试选择
Attackers reveal their arsenal: An investigation of adversarial techniques in CTI reports
攻击者暴露他们的武器库:CTI 报告中对抗技术的调查
  • DOI:
    10.48550/arxiv.2401.01865
  • 发表时间:
    2024
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Md. Rayhanur Rahman;S. Basak;Rezvan Mahdavi;Laurie Williams
  • 通讯作者:
    Laurie Williams
“I Am a Nice Person When I Do Yoga!!!”
“当我做瑜伽时,我是一个好人!!!”
  • DOI:
  • 发表时间:
    2014
  • 期刊:
  • 影响因子:
    2
  • 作者:
    A. Ross;M. Bevans;E. Friedmann;Laurie Williams;Sue A. Thomas
  • 通讯作者:
    Sue A. Thomas
Paving a Path for a Combined Family of Feature Toggle and Configuration Option Research
为功能切换和配置选项研究组合系列铺平道路

Laurie Williams的其他文献

{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

{{ truncateString('Laurie Williams', 18)}}的其他基金

SaTC: CORE: Small: Risk-based Secure Checked-in Credential Reduction for Software Development
SaTC:核心:小型:软件开发中基于风险的安全签入凭证减少
  • 批准号:
    2055554
  • 财政年份:
    2021
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
SHF: Small: Detecting the 1%: Growing the Science of Vulnerability Detection
SHF:%20小型:%20检测%20the%201%:%20增长%20the%20科学%20of%20漏洞%20检测
  • 批准号:
    1909516
  • 财政年份:
    2019
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
Collaborative Research: DarkSide-20k: A Global Program for the Direct Detection of Dark Matter Using Low-Radioactivity Argon
合作研究:DarkSide-20k:使用低放射性氩直接探测暗物质的全球计划
  • 批准号:
    1812480
  • 财政年份:
    2018
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
EAGER: Cognitive modeling of strategies for dealing with errors in mobile touch interfaces
EAGER:处理移动触摸界面错误策略的认知建模
  • 批准号:
    1451172
  • 财政年份:
    2014
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
EDU: Motivating and Reaching University Students and Professionals with Software Security Education
EDU:通过软件安全教育激励和影响大学生和专业人士
  • 批准号:
    1318428
  • 财政年份:
    2013
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
Differential Analysis on Changes in Medical Device Software
医疗器械软件变化差异分析
  • 批准号:
    1160603
  • 财政年份:
    2012
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
CT-ER: On the Use of Security Metrics to Identify and Rank the Risk of Vulnerability- and Exploit-Prone Components
CT-ER:关于使用安全指标来识别和排名易受攻击组件的风险
  • 批准号:
    0716176
  • 财政年份:
    2007
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
Academy for Software Engineering Educators and Trainers
软件工程教育者和培训师学院
  • 批准号:
    0542681
  • 财政年份:
    2005
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
CAREER: Test-Driven Development of Secure and Reliable Software Applications
职业:安全可靠的软件应用程序的测试驱动开发
  • 批准号:
    0346903
  • 财政年份:
    2004
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
ITWF: Collaboration through Agile Software Development Practices: A Means for Improvement in Quality and Retention of IT Workers
ITWF:通过敏捷软件开发实践进行协作:提高 IT 员工质量和留住员工的方法
  • 批准号:
    0305917
  • 财政年份:
    2003
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant

相似海外基金

Collaborative Proposal: SaTC: Frontiers: Center for Distributed Confidential Computing (CDCC)
协作提案:SaTC:前沿:分布式机密计算中心 (CDCC)
  • 批准号:
    2401496
  • 财政年份:
    2023
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Research: Conference: SaTC: CORE: 2.0 Vision Proposal
协作研究:会议:SaTC:核心:2.0 愿景提案
  • 批准号:
    2316833
  • 财政年份:
    2023
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
Collaborative Research: Conference: SaTC: CORE: 2.0 Vision Proposal
协作研究:会议:SaTC:核心:2.0 愿景提案
  • 批准号:
    2316832
  • 财政年份:
    2023
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Standard Grant
Collaborative Proposal: SaTC: Frontiers: Securing the Future of Computing for Marginalized and Vulnerable Populations
协作提案:SaTC:前沿:确保边缘化和弱势群体的计算未来
  • 批准号:
    2207019
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Center for Distributed Confidential Computing (CDCC)
协作提案:SaTC:前沿:分布式机密计算中心 (CDCC)
  • 批准号:
    2207216
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Securing the Future of Computing for Marginalized and Vulnerable Populations
协作提案:SaTC:前沿:确保边缘化和弱势群体的计算未来
  • 批准号:
    2205171
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain
协作提案:SaTC:前沿:实现安全可信的软件供应链
  • 批准号:
    2206921
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Center for Distributed Confidential Computing (CDCC)
协作提案:SaTC:前沿:分布式机密计算中心 (CDCC)
  • 批准号:
    2207218
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Center for Distributed Confidential Computing (CDCC)
协作提案:SaTC:前沿:分布式机密计算中心 (CDCC)
  • 批准号:
    2207214
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
Collaborative Proposal: SaTC: Frontiers: Securing the Future of Computing for Marginalized and Vulnerable Populations
协作提案:SaTC:前沿:确保边缘化和弱势群体的计算未来
  • 批准号:
    2206950
  • 财政年份:
    2022
  • 资助金额:
    $ 634.45万
  • 项目类别:
    Continuing Grant
{{ showInfoDetail.title }}

作者:{{ showInfoDetail.author }}

知道了