Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

协作提案：SaTC：前沿：实现安全可信的软件供应链

• 批准号: 2206859
• 负责人: Christian Kastner
• 金额: $ 86.48万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2027-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2206859&HistoricalAwards=false
• 关键词: Collaborative; Proposal; SaTC; Frontiers; Enabling

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines. This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The project’s novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners. The project’s broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security. S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代世界几乎每项人类活动都依赖于软件，典型的软件产品包含 80% 的开源组件，攻击者会发现并利用意外注入的安全漏洞，并越来越多地直接将漏洞或恶意代码直接植入软件供应链中。 - 开源软件及其构建和部署管道，该 Frontiers 项目建立了安全软件供应链中心 (S3C2)，这是一项大规模、多机构的工作，旨在帮助软件行业重新建立对软件的信任。该项目的新颖之处在于，通过在软件供应链利益相关者之间的人类行为背景下开发科学原理、协同工具、指标和模型，为供应链提供支持，并通过研究和培训，为多元化的劳动力提供安全软件供应链方法的培训。外展活动，包括本科生暑期研究体验 (REU)、夏令营以及为本科生、研究生和从业人员开发课程模块。该项目具有更广泛的意义和重要性，是 S3C2 增强信心地促进快速创新的方式。在软件供应链中S3C2 专注于两个供应链攻击向量的相互关联的研究重点：(1) 上游依赖关系和 (2) 持续集成/持续部署 (CI/CD) 管道背景下的构建过程。它通过识别漏洞的可利用性和攻击面的变化来帮助从业者应对上游依赖项的风险，并隔离有风险的代码，从而增强了软件物料清单 (SBoM) 的实用性。 Thrust Two 专注于开发工具和技术来帮助从业者应对构建过程的风险，它通过分析 CI/CD 配置和技术来帮助开发人员实现可重复的构建，从而为构建完整性提供强有力的保证。授予 NSF 的法定使命，并通过评估反映使用基金会的智力优点和更广泛的影响审查标准，被认为值得支持。