SBIR Phase I: Securing open source software supply chain

The broader impact of this Small Business Innovation Research (SBIR) Phase I project will be to improve cybersecurity. Thousands of open-source software (OSS) packages containing purposefully harmful software (malware) have been reported across popular language ecosystems (e.g., Python), which have been downloaded millions of times. Such attacks are highly damaging as the malware may find its way into apps, potentially compromising the privacy of millions of users; moreover, OSS is the de facto standard way to build modern applications and services.This project will develop a novel large-scale automated vetting infrastructure to analyze millions of OSS packages and mitigate OSS supply chain attacks.

This will enhance productivity for the OSS developer community across the cybersecurity spectrum, including malware analysis, exposing undesired behavior in untrusted third-party OSS code, maintaining developer trust and reputation, detecting hidden software vulnerabilities, and enforcing security of OSS ecosystems.

This Small Business Innovation Research (SBIR) Phase I project will advance state-of-the-art research techniques as well as explore novel practical approaches for detection and mitigation of Open-Source Software (OSS) supply chain attacks — a direct cybersecurity threat posed to developers and organizations when adopting untrusted third-party OSS code. This project will: 1) create novel automated techniques for exhaustive code as well as metadata analysis of OSS projects, and 2) develop an extensive set of robust characteristic profiles for effective detection of malicious code.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.