GGrantIndex
← Search

NSF POSE: Phase II: Building an Open-Source Ecosystem to Secure Software Bills of Materials

$1,500,000FY2024TIPNSF

New York University, New York NY

Investigators

Abstract

This project seeks to harness the power of open-source development for the creation of new technology solutions to problems of national and societal importance. Across the globe, software is integral to many aspects of contemporary life, making it crucial to be able to accurately identify and verify the components from which software is created. A well-known method for creating an inventory of software components, known as a Software Bill of Materials (SBOM), is prone to inaccuracies and is vulnerable to unauthorized tampering. This project, called “SBOMit,” aims to transform SBOMs by creating an open-source ecosystem that redefines how SBOMs are produced and checked. The SBOMit open-source ecosystem aligns with both the NSF's mission to enhance national welfare and security as well as the objectives of the National Cybersecurity Strategy. SBOMit minimizes the risks of tampering with SBOMs and improves transparency, establishing a new benchmark for trust in software supply chains. As an open-source product, SBOMit is available to industry, government, and other sectors at no cost, providing a free and open solution to one of the most important cybersecurity problems. SBOMit's innovation builds upon the capabilities of another open-source product, known as “in-toto,” to bolster SBOM reliability against malicious threats, leveraging the in-toto framework’s attestations to enhance SBOM trustworthiness. The in-toto framework ensures cryptographic verification at every stage of the supply chain, providing assurance of software integrity for version control systems, the continuous integration/continuous deployment process, testing, and all other stages of the software supply chain. Cryptographic verification serves dual purposes: diminishing SBOM tampering risks and setting a new transparency and trust standard in software supply chains. Additionally, the capability to leverage in-toto's attestations helps to fortify software against a variety of existing and anticipated software supply chain attacks. Industry participants within the growing SBOMit ecosystem are developing tools that will help to integrate the product across a diverse range of applications, fostering a community-driven approach that will protect software used in industry, government, academia, and elsewhere. The detailed metadata embedded within SBOMs by in-toto attestations facilitates a greater level of visibility and control of the provenance of components, empowering automated verification processes that can detect and defend against unauthorized modifications. As the SBOMit open-source ecosystem expands by integrating the product across various software domains, this standardizes a means to generate SBOMs and empower stakeholders across sectors with transparent, secure, and easy-to-use tools. The SBOMit open-source ecosystem can pave the way for the trustworthy software supply chain of the future. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →