Award Abstract # 2229703
POSE: Phase I: Scoping An Open-Source Ecosystem Around Proactive Software Supply Chain Monitoring

NSF Org: TI
Translational Impacts
Recipient: PURDUE UNIVERSITY
Initial Amendment Date: September 8, 2022
Latest Amendment Date: September 8, 2022
Award Number: 2229703
Award Instrument: Standard Grant
Program Manager: Marlon Pierce
mpierce@nsf.gov
 (703)292-7743
TI
 Translational Impacts
TIP
 Directorate for Technology, Innovation, and Partnerships
Start Date: September 15, 2022
End Date: August 31, 2024 (Estimated)
Total Intended Award Amount: $300,000.00
Total Awarded Amount to Date: $300,000.00
Funds Obligated to Date: FY 2022 = $300,000.00
History of Investigator:
  • Santiago Torres-Arias (Principal Investigator)
  • James Davis (Co-Principal Investigator)
Recipient Sponsored Research Office: Purdue University
2550 NORTHWESTERN AVE # 1100
WEST LAFAYETTE
IN  US  47906-1332
(765)494-1055
Sponsor Congressional District: 04
Primary Place of Performance: Purdue University
2550 NORTHWESTERN AVE STE 1900
WEST LAFAYETTE
IN  US  47906-1332
Primary Place of Performance
Congressional District:
04
Unique Entity Identifier (UEI): YRXVL4JYCEF5
Parent UEI: YRXVL4JYCEF5
NSF Program(s): POSE
Primary Program Source: 01002223DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s):
Program Element Code(s): 211Y00
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.084

ABSTRACT

This project is funded by Pathways to Enable Open-Source Ecosystems (POSE) which seeks to harness the power of open-source development for the creation of new technology solutions to problems of national and societal importance. Industry, government, and academia rely on a supply chain of open-source software components. Recently, hackers have identified that, in order to hack their targets, they can "poison the water stream" to effectively affect all consumers of software at once. Problems with these sorts of attacks have caused site- and Internet-wide disruption at an estimated cost of billions of dollars. From major attacks like XCodeGhost to Solarwinds, software supply chain attacks have seen increasing trends in damage, sophistication, and frequency. Existing approaches to open-source development face challenges in achieving widespread adoption, mostly due to the complicated nature of securing the open source supply chain --- a highly interconnected network of actors with different socio-technical motivations. This project tackles the challenge of developing and sustaining a community to provide usable security. The project's novelties are in recognizing and building a broader solution that can secure not only cloud systems, but emerging applications such as as Artificial Intelligence and Internet of Things (IoT) as well as mission critical applications such as the powergrid. If successful, the project's impacts will protect millions of software users.

This project aims to develop an open source ecosystem that sustainably grows to include further users and achieves meaningful protection against software supply chain attacks, protecting against as many vectors as possible. This project is divided in two tasks. First, it engages with stakeholders and end-users of emerging applications. Second, it builds a sustainability plan to attract and maintain new members in the community. This ecosystem has the potential to transform the robustness and security of software built in the United States and worldwide.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Davis, James C and Jajal, Purvish and Jiang, Wenxin and Schorlemmer, Taylor R and Synovic, Nicholas and Thiruvathukal, George K "Reusing Deep Learning Models: Challenges and Directions in Software Engineering" , 2023 https://doi.org/10.1109/JVA60410.2023.00015 Citation Details
Jiang, Wenxin and Synovic, Nicholas and Hyatt, Matt and Schorlemmer, Taylor R and Sethi, Rohan and Lu, Yung-Hsiang and Thiruvathukal, George K and Davis, James C "An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry" , 2023 https://doi.org/10.1109/ICSE48619.2023.00206 Citation Details
Jiang, Wenxin and Synovic, Nicholas and Jajal, Purvish and Schorlemmer, Taylor R and Tewari, Arav and Pareek, Bhavesh and Thiruvathukal, George K and Davis, James C "PTMTorrent: A Dataset for Mining Open-source Pre-trained Model Packages" , 2023 https://doi.org/10.1109/MSR59073.2023.00021 Citation Details
Jiang, Wenxin and Synovic, Nicholas and Sethi, Rohan and Indarapu, Aryan and Hyatt, Matt and Schorlemmer, Taylor R. and Thiruvathukal, George K. and Davis, James C. "An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply Chain" Proceedings of the 1st ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED , 2022 https://doi.org/10.1145/3560835.3564547 Citation Details
Kelsey Merril, Zachary Newman "Speranza: Usable, privacy-friendly software signing" , 2022 Citation Details
Newman, Zachary and Meyers, John Speed and Torres-Arias, Santiago "Sigstore: Software Signing for Everybody" , 2022 https://doi.org/10.1145/3548606.3560596 Citation Details
Okafor, Chinenye and Schorlemmer, Taylor R. and Torres-Arias, Santiago and Davis, James C. "SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties" Proceedings of the 1st ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) , 2022 https://doi.org/10.1145/3560835.3564556 Citation Details
Schorlemmer, Taylor R and Kalu, Kelechi G and Chigges, Luke and Ko, Kyung Myung and Ishgair, Eman Abu and Bagchi, Saurabh and Torres-Arias, Santiago and Davis, James C "Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors" Proceedings of the IEEE Symposium on Security and Privacy , 2024 https://doi.org/10.1109/SP54263.2024.00215 Citation Details

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Software, like physical goods, must travel a complex network of operations to transform and distribute it. This network is called a software supply chain, and it is present in most if not all the software we use today. However, much like physical supply chains, software supply chains can be vulnerable to disruption and subversion by malicious actors. Cases such as the infamous SOLARBURST compromise has showcased how impactful these attacks are. A common way these actors target supply chains is by breaking into software distribution points, and tampers with software before it is passed along.

A crucial line of defense against attacks in the software supply chain is the use of software signing, where an actor in the software supply chain signs a component or the complete final product to ensure there is no tampering. Like a tamper-proof seal on a bottle of medicine, a software signature allows consumers to ensure products are not tampered with in transit. This is particularly important for open source, where various actors can participate in these supply chains with a lower barrier for entry. As such, we must ensure everybody participating in the software supply chain is able to sign software.

The Sigstore project aims to provide this much-needed signing adoption by simplifying the signature generation, discovery and validation process. In a nutshell, Sigstore provides tools and infrastructure to allow engineers to sign software, and submit it to a publicly-accessible ledger so that consumers can verify it. Though the Sigstore project was a promising technology before this NSF award, fundamental research was missing to understand and direct the project towards a sustainable and critical part of the cybersecurity landscape.

As a consequence, this award focused on understanding the factors that will allow Sigstore to fulfill its mission of becoming a widespread software signing technology. To do so, we 1) explored the factors that allow Sigstore adoption to improve, and 2) identified ways in which users of Sigstore can monitor the signatures to identify supply chain attacks. In doing so, we were able to scope an open source ecosystem to include contributors from various application domains, open source communities, and industry. Today, the Sigstore project boasts more than a hundred-fifty million signatures from various types of open and closed source software.

Intellectual Merit: this work shed light on hitherto unknown factors that affect adoption for software signing. For example, though perhaps counter-intuitively, supply chain attacks on a platform do not cause sustainable adoption for signing in that platform. Similarly, requiring signing from actors to participate in the chain causes adoption in signing, but those signatures will contain a variety of errors that will affect their validation. 

From these factors, we identified gaps in the Sigstore design. For example, the ability to privately sign software is a core requirement in certain ecosystems. As such, the development of designs that allowed parties to privately sign software, while still providing adequate security guarantees were developed.

Broader Impacts: this award allowed to establish governance structures to direct Sigstore in becoming an Open Source Ecosystem (OSE). In addition, it allowed for participation in and development of synergistic activities (e.g., conferences, workshops), and engagements (e.g., discussion) to grow the adopter and contributor ecosystem. Lastly, it set the groundwork for standardization efforts, which will ensure the project's neutrality and interoperability.


Last Modified: 12/30/2024
Modified by: Santiago Torres-Arias

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page