Consistent Hardening and Analysis of Software Supply Chains
- Reference number
- FUS21-0052
- Project leader
- Monperrus, Martin
- Start and end dates
- 220601-270531
- Amount granted
- 31 038 952 SEK
- Administrative organization
- KTH - Royal Institute of Technology
- Research area
- Information, Communication and Systems Technology
Summary
Context. Software companies increasingly rely on open source software supply chains to deliver relevant software applications to their customers. This supply chain supports the best software engineering practices regarding reuse. Meanwhile, the software supply chain is subject to risks related to reliability, maintenance, and security. Objective. In this context, the CHAINS project builds advanced software development techniques and methods to harden the supply of software libraries and development tools. The project contributes novel software technology that provide developers with precise knowledge to assess and mitigate the risks of reusing third-party libraries. Research plan. CHAINS is structured around three research areas and one demonstrator. We develop algorithms and tools for threat modeling at development time, for safe and reliable software build systems, and for the runtime monitoring of the software supply chain. The demonstrator assesses the applicability of the project results by using the real-world software supply chain of the secure communications solution developed by PrimeKey Solutions AB. Outcome and relevance. CHAINS will result in both long-term benefits for the research community and direct benefits for the Swedish industry. The impact of CHAINS will be assessed with respect to publications in top-tier scientific venues, open source software technology, the training of graduate students, and the dissemination of results in industry events.
Popular science description
The software supply chain is defined as all software on which an organization relies to operate its activities. This spans a wide variety of applications, from payroll, travel, acquisition, to network administration tools and databases. The software supply chain has become a severe risk for companies in all sectors, as witnessed by several news headlines in the last years. A prominent example is the recent SolarWinds attack. Malicious actors accessed the continuous integration servers of a company named SolarWinds, inserting malware in their Orion monitoring and management software. Consequently, when the customers of SolarWinds upgraded their installation of Orion, they were all infected by the malware. These customers include public administrations and large corporations in the USA, out of which many were targets of further exploitation. Hardening the software supply chain has become a problem of utmost importance. In May 2021, the U.S. White House for instance signed an executive order explicitly mentioning the software supply chain as a key risk for society. While the scope, importance, and scale of software supply chain incidents greatly vary, their root causes are similar. The companies that supply a piece of software to customers (such as SolarWinds) use methods, tools and practices that are at the core of the risks highlighted above. They all rely on software reuse at large because it is a known best practice with respect to reliability and time-to-market. While software reuse is a key enabler for timely and powerful software applications, it can also be considered its Achille's heel: malicious actors can infect a target application from within a reused component, and entire software systems may crash because of a bug somewhere deep in the reuse chain. The CHAINS project builds advanced software development techniques and methods to harden the supply chain of software libraries and development tools. The project contributes with novel models, algorithms, analysis tools that provide developers with precise knowledge to assess and mitigate risks of reusing third-party libraries. The research covers the software engineering process in multiple steps; from design and development, to building and checking, as well as deployment. An open source product from the Swedish company Prime Key AB is used as demonstrator for the project results.