| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | March 17, 2021 |
| Latest Amendment Date: | May 21, 2021 |
| Award Number: | 2054692 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Daniel F. Massey
dmassey@nsf.gov (703)292-5147 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | July 1, 2021 |
| End Date: | June 30, 2024 (Estimated) |
| Total Intended Award Amount: | $800,000.00 |
| Total Awarded Amount to Date: | $800,000.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
70 WASHINGTON SQ S NEW YORK NY US 10012-1019 (212)998-2121 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
70 Washington Square S New York NY US 10012-1019 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Creating and distributing software written in Python, in a secure manner, is surprisingly difficult. And as many recent incidents demonstrate, the security of this software chain is dramatically vulnerable. Right now, in nearly all Python packaging and distribution tools, there are no mechanisms in place for someone who downloads software to understand whether a malicious party has not inserted or removed code, or if the code was even written by the right developers! This work will for the first time capture metadata about the steps of the Python software supply chain systematically. This project will carry information between the steps of the chain in a way that an external party can verify author signing and repository signing of packages. This project will also be breaking ground for researchers and developers who want to improve how other interpreted languages handle managing dependencies. The project's impacts are particularly strong in academia, science, and industry, where Python is the most widely used programming language; millions of users will be more protected against a variety of attacks.
This project transitions two security mechanisms -- backtracking dependency resolution and The Update Framework (TUF) -- into practical use in the core Python infrastructure. Backtracking dependency resolution ensures that users get understandable package dependency installation, even in the face of attacks or missing metadata. TUF ensures that even a compromise of the major package infrastructure will have severely limited impact on clients. Together, the resolver and TUF work will ensure that important research transitions into substantial security improvements for all Python software, and will positively impact millions of developers and many more users.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
This project improved the state of security for Python, one of the most widely used programming languages. Our efforts make certain types of attack on the Python community much harder to launch. We helped to reduce the likelihood of certain attacks related to dependency confusion. As a result, this addresses many attacks which involve causing users to install an incorrect or incompatible piece of software. As a result, developers are more likely to create correct, stable software.
Furthermore, we also helped not only the Python community, but several other large communities (such as Ruby and Github) add support for a system called TUF (The Update Framework) which makes a hack of them less harmful to users. TUF is already used on millions of devices to protect them from software repository hacks. The deployment in the ecosystems can potentailly reduce the harm to millions of devices in the case of an incident.
All of the work here has been done in an open manner, with participants from other companies and organzations freely contributing. This means that many efforts had impacts and effects well beyond our core team. Our work is hosted under open source organizations and have a majority of leadership from outside our core team. We are confident these communities will continue to thrive and improve software security after the end of this award period.
Last Modified: 07/25/2024
Modified by: Justin Cappos
Please report errors in award information by writing to: awardsearch@nsf.gov.
