Enabling a Secure and Trustworthy Software Supply Chain

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines. This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The project's novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners. The project's broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security.

S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

The lead institution is North Carolina State University with PIs Prof. Laurie Williams, PhD, Prof. William Enck, PhD, and Prof. Dr. Dominik Wermke,

PIs are at Carniege Mellon University, Prof. Dr. Christian Kästner, at University of Maryland, Prof. Dr. Michel Cukier, and at Paderborn University, Prof. Dr. Yasemin Acar.