
NSF Org: |
TI Translational Impacts |
Recipient: |
|
Initial Amendment Date: | September 8, 2022 |
Latest Amendment Date: | September 8, 2022 |
Award Number: | 2229703 |
Award Instrument: | Standard Grant |
Program Manager: |
Marlon Pierce
mpierce@nsf.gov (703)292-7743 TI Translational Impacts TIP Directorate for Technology, Innovation, and Partnerships |
Start Date: | September 15, 2022 |
End Date: | August 31, 2024 (Estimated) |
Total Intended Award Amount: | $300,000.00 |
Total Awarded Amount to Date: | $300,000.00 |
Funds Obligated to Date: |
|
History of Investigator: |
|
Recipient Sponsored Research Office: |
2550 NORTHWESTERN AVE # 1100 WEST LAFAYETTE IN US 47906-1332 (765)494-1055 |
Sponsor Congressional District: |
|
Primary Place of Performance: |
2550 NORTHWESTERN AVE STE 1900 WEST LAFAYETTE IN US 47906-1332 |
Primary Place of
Performance Congressional District: |
|
Unique Entity Identifier (UEI): |
|
Parent UEI: |
|
NSF Program(s): | POSE |
Primary Program Source: |
|
Program Reference Code(s): | |
Program Element Code(s): |
|
Award Agency Code: | 4900 |
Fund Agency Code: | 4900 |
Assistance Listing Number(s): | 47.084 |
ABSTRACT
This project is funded by Pathways to Enable Open-Source Ecosystems (POSE) which seeks to harness the power of open-source development for the creation of new technology solutions to problems of national and societal importance. Industry, government, and academia rely on a supply chain of open-source software components. Recently, hackers have identified that, in order to hack their targets, they can "poison the water stream" to effectively affect all consumers of software at once. Problems with these sorts of attacks have caused site- and Internet-wide disruption at an estimated cost of billions of dollars. From major attacks like XCodeGhost to Solarwinds, software supply chain attacks have seen increasing trends in damage, sophistication, and frequency. Existing approaches to open-source development face challenges in achieving widespread adoption, mostly due to the complicated nature of securing the open source supply chain --- a highly interconnected network of actors with different socio-technical motivations. This project tackles the challenge of developing and sustaining a community to provide usable security. The project's novelties are in recognizing and building a broader solution that can secure not only cloud systems, but emerging applications such as as Artificial Intelligence and Internet of Things (IoT) as well as mission critical applications such as the powergrid. If successful, the project's impacts will protect millions of software users.
This project aims to develop an open source ecosystem that sustainably grows to include further users and achieves meaningful protection against software supply chain attacks, protecting against as many vectors as possible. This project is divided in two tasks. First, it engages with stakeholders and end-users of emerging applications. Second, it builds a sustainability plan to attract and maintain new members in the community. This ecosystem has the potential to transform the robustness and security of software built in the United States and worldwide.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Software, like physical goods, must travel a complex network of operations to transform and distribute it. This network is called a software supply chain, and it is present in most if not all the software we use today. However, much like physical supply chains, software supply chains can be vulnerable to disruption and subversion by malicious actors. Cases such as the infamous SOLARBURST compromise has showcased how impactful these attacks are. A common way these actors target supply chains is by breaking into software distribution points, and tampers with software before it is passed along.
A crucial line of defense against attacks in the software supply chain is the use of software signing, where an actor in the software supply chain signs a component or the complete final product to ensure there is no tampering. Like a tamper-proof seal on a bottle of medicine, a software signature allows consumers to ensure products are not tampered with in transit. This is particularly important for open source, where various actors can participate in these supply chains with a lower barrier for entry. As such, we must ensure everybody participating in the software supply chain is able to sign software.
The Sigstore project aims to provide this much-needed signing adoption by simplifying the signature generation, discovery and validation process. In a nutshell, Sigstore provides tools and infrastructure to allow engineers to sign software, and submit it to a publicly-accessible ledger so that consumers can verify it. Though the Sigstore project was a promising technology before this NSF award, fundamental research was missing to understand and direct the project towards a sustainable and critical part of the cybersecurity landscape.
As a consequence, this award focused on understanding the factors that will allow Sigstore to fulfill its mission of becoming a widespread software signing technology. To do so, we 1) explored the factors that allow Sigstore adoption to improve, and 2) identified ways in which users of Sigstore can monitor the signatures to identify supply chain attacks. In doing so, we were able to scope an open source ecosystem to include contributors from various application domains, open source communities, and industry. Today, the Sigstore project boasts more than a hundred-fifty million signatures from various types of open and closed source software.
Intellectual Merit: this work shed light on hitherto unknown factors that affect adoption for software signing. For example, though perhaps counter-intuitively, supply chain attacks on a platform do not cause sustainable adoption for signing in that platform. Similarly, requiring signing from actors to participate in the chain causes adoption in signing, but those signatures will contain a variety of errors that will affect their validation.
From these factors, we identified gaps in the Sigstore design. For example, the ability to privately sign software is a core requirement in certain ecosystems. As such, the development of designs that allowed parties to privately sign software, while still providing adequate security guarantees were developed.
Broader Impacts: this award allowed to establish governance structures to direct Sigstore in becoming an Open Source Ecosystem (OSE). In addition, it allowed for participation in and development of synergistic activities (e.g., conferences, workshops), and engagements (e.g., discussion) to grow the adopter and contributor ecosystem. Lastly, it set the groundwork for standardization efforts, which will ensure the project's neutrality and interoperability.
Last Modified: 12/30/2024
Modified by: Santiago Torres-Arias
Please report errors in award information by writing to: awardsearch@nsf.gov.