Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

协作提案：SaTC：前沿：实现安全可信的软件供应链

• 批准号: 2206865
• 负责人: Adam Aviv
• 金额: $ 93.93万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2027-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2206865&HistoricalAwards=false
• 关键词: Collaborative; Proposal; SaTC; Frontiers; Enabling

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines. This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The project’s novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners. The project’s broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security. S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代世界几乎依靠每个人类努力中的软件，典型的软件产品包括80％的开源组件。攻击者发现并探索意外注入的安全漏洞，并越来越多地积极地植入漏洞或恶意代码直接进入软件供应链中 - 开源软件及其构建和部署管道。该边界项目建立了安全的软件供应链中心（S3C2），这是一种大规模的多机构努力，旨在通过开发科学原理，协同工具，指标和模型来帮助软件行业对软件供应链进行对软件供应链的信任，而在软件供应链利益相关者之间人类行为行为的背景下。该项目的新颖性包括对潜水员劳动力的贡献，该公司通过研究和外展计划接受了安全软件供应链方法的培训，包括本科生的夏季研究经验（REU），夏令营，以及针对本科生，研究生和实践者的课程模块的发展。该项目的更大意义和重要性是S3C2在对软件供应链安全性的信心中促进快速创新的方式。 S3C2专注于两个供应链攻击向量的互连研究推力：（1）上游依赖性和（2）在连续集成/连续部署（CI/CD）管道的背景下构建过程。推力专注于开发工具和技术，以帮助从业者有上游依赖性的风险。它通过识别漏洞的可利用性和攻击表面的变化并将风险的代码隔离为定格间隙，从而增强了软件材料清单（SBOM）的实用性。推力两个重点是开发工具和技术，以帮助从业人员有建造过程的风险。它通过分析CI/CD配置和技术来帮助开发人员实现可重复性的构建。该奖项反映了NSF的法定任务，并被认为是通过基金会的智力优点和更广泛的影响审查标准，可以根据评估NSF的法定任务来实现强大的保证来建立完整性。

项目成果

"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

• DOI: 10.1109/sp46215.2023.10179378
• 发表时间: 2023-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Dominik Wermke;J. Klemmer;Noah Wöhler;Juliane Schmüser;Harshini Sri Ramulu;Y. Acar;S. Fahl

Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secrets in Source Code Repositories

意外推动：源代码存储库中秘密处理策略的混合方法研究

• 发表时间: 2023
• 期刊: 2023 USENIX Security Symposium
• 作者: Krause, A.;Klemmer, J. H.;Huaman, N;Wermke, D.;Acar, Y.;Fahl, S.
• 通讯作者: Fahl, S.