GGrantIndex
← Search

NSF Safe-OSE: Enhancing Safety, Security, and Privacy in the Community Earth System Model (CESM) Ecosystem

$1,500,000FY2025TIPNSF

University Of Colorado At Boulder, Boulder CO

Investigators

Abstract

This Safety, Security, and Privacy of Open-Source Ecosystems (Safe-OSE) project aims to improve the safety, security, and privacy of the Community Earth System Model (CESM), an important open-source tool used to simulate Earth systems and predict events like hurricanes, floods, droughts, and wildfires. CESM helps guide critical decisions in areas such as disaster response, agriculture, energy planning, public health, and national defense. The project develops a security framework to identify and fix weaknesses in the CESM code and its software supply chain, preventing potential backdoors and cyber threats. The project will also improve automated testing, streamline software updates, and raise awareness among developers about secure coding practices. By making CESM more secure and reliable, this effort will serve as a model for upgrading the security of other scientific software used across sectors. This Safe-OSE project begins by refactoring the CESM codebase to address foundational barriers to integrating modern security practices. This includes decoupling computational and control logic to support modularization and rewriting the control layer in Python to enable modernization. Building on this foundation, this project develops three clusters of automated security techniques: (1) static analysis using a query engine, compiler-time testing, and large language models tailored to CESM structure; (2) dynamic testing via targeted unit and regression tests for scientific workflows; and (3) supply chain security techniques to detect and mitigate risks from vulnerable dependencies. These techniques are integrated into an upgraded continuous integration (CI) and continuous delivery (CD) pipeline. To address socio-technical risks and ensure long-term sustainability, this project implements a maintainer vetting process and provides community-focused security training through hands-on tutorials and live demonstrations. The anticipated outcome is a comprehensive security framework for CESM that can be generalized to other legacy scientific software ecosystems. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →