Digital innovation is the source of competitiveness and value creation for many types of businesses. The universal desire for rapid digital innovation demands efficient reuse of software code building blocks, which has increased the dependence upon open source and third-party libraries and tools that comprise the software supply chain. Adversaries have moved from finding and exploiting vulnerabilities in end products to a new generation of supply chain attacks where attackers aggressively implant malicious code directly into artifacts in the supply chain and find their way into build and deployment pipelines. Digital innovation depends upon confidence in the software supply chain. As such, our research will enable the following vision: The software industry can rapidly innovate with confidence in the security of their software supply chain. The challenge of software supply chain security has recently received significant interest from industry and government. However, discussions with key stakeholders indicate that the state-of-the-art is preliminary, motivating scientific research to address the underlying fundamental challenges that will limit the practical success of existing approaches. We tackle the challenges of secure software supply chain through three thrusts: prevention, detection, and response, with an explicit objective of moving toward preventing security failures. For each thrust, we consider five hard security problems: (1) Scalability and Composability, such as detecting malicious commits and hardening containers; (2) Policy-governed Secure Collaboration, such as effective use of Software Bill of Materials; (3) Predictive Security Metrics, such as measuring the exploitability of vulnerabilities; (4) Resilient Architectures, such as isolation and sandboxing of components; and (5) Human Behavior, such as studying how to make software developers make more secure decisions. The project will impact the software industry by engaging with current industry players/community, enabling their participation in our research thrusts. Additionally, the project will involve educating the next generation of engineers to eradicate software supply chain security issues and training current employees to make them aware of these issues to help reduce them. To solve these challenging issues, we have created a multidisciplinary proposing team committed to diversity.

Modern distributed systems and Internet services require authentication between their components to protect their services from unauthorized access and ensure appropriate billing. In practice, this authentication is performed by presenting a static secret, such as an ����������������API key��������������� or password. These are difficult for developers to manage and deploy securely, and credentials are accidentally or intentionally stored in widely readable software repositories. This threatens not just the security of the leaker, but also the authenticating service. The ultimate root cause of this issue is the adaptation of user authentication methods (e.g., passwords) to software in ways that are inappropriate and ultimately unsafe. This proposal will fund research to more reliably and consistently identify these leaked software credentials, triage them according to the risk they present, conduct developer interventions to train them to properly manage this risk, and finally develop more secure yet manageable alternative solutions to software authentication.

Software practitioners need methods to prioritize security verification efforts through the development of practical vulnerability prediction models. The PIs of this project have conducted extensive research of software analytics and vulnerability prediction algorithms. Based on that work, we can assert that vulnerability predictors usually use old data mining technology, some of which dates back several decades. This proposal will explore numerous better ways to build vulnerability predictors.

A May 2021 White House Executive Order on Cybersecurity contains a specific focus on the role the private sector plays in fostering a more secure cyberspace and an entire section on enhancing the security and integrity of the software supply chain. Organizations, such as Cisco, that supply ����������������critical software��������������� to the US government must comply with secure software supply chain practices. We propose research projects to aid Cisco in supply chain security. The primary goal of this project is to assist security analysts in identifying suspicious behavior during the build and deployment processes through an empirical analysis of build and deployment logs. We also will work with Cisco to develop machine learning models to automatically identify malicious commits to repositories through the development and validation of a commit-anomaly detector. We will also partner to leverage the information contained in a Software Bill of Materials (SBoM) to reduce supply chain security risk.

This project proposes the continuation of the Science of Security Lablet at NC State University. Science of Security refers to the study of cybersecurity from an explicitly scientific perspective. Cybersecurity encompasses elements of technology, human behavior, and policy. Science of Security seeks to identify and apply the appropriate scientific principles on cybersecurity problems, enhancing rigor and reproducibility, thereby improving the transfer of research to practice. This Lablet provides a home for investigations into diverse topics pertaining to a Science of Security. The Lablet will support the three major elements of a Science of Security: research, scientific methods, and community engagement.

LAS DO1 Option Year Williams- 3.0 Machine Learning Integrity The goal of the projects examining Machine Learning Integrity is to identify and address issues that impact the timeliness, objectivity, reliability, explainability, and quality of machine learning approaches. These issues may arise from the specifics of an application, from a lack of data, from computational or policy constraints, or from adversarial actions.

Touch interfaces on mobile phones and tablets are notoriously error prone in use. One plausible reason for slow progress in improving usability is that research and design efforts in HCI take a relatively narrow focus on isolating and eliminating human error. We take a different perspective: failure represents breakdowns in adaptations directed at coping with complexity. The key to improved usability is understanding the factors that contribute to both expertise and its breakdown. We propose to develop cognitive models of strategies for touch interaction. Our research will examine the detailed interactions between users������������������ perceptual, cognitive, and motor processes in recognizing, recovering from, and avoiding errors in touch interfaces. Our proposal is for three stages of research: exploratory experiments, analysis and modeling, and finally validation experiments.

Since August 2011, North Carolina State University������������������s (NCSU) analytics-focused Science of Security Lablet (SOSL) has embraced and helped build a foundation for the NSA������������������s vision of the Science of Security (SoS) and a SoS community. Jointly with other SOSLs, we formulated five SoS hard problems, which lie at the core of the BAA. At NCSU, data-driven discovery and analytics have been used to formulate, validate, evolve, and solidify security models and theories as well as the practice of cyber-security. We propose to (1) investigate solutions to five cross-dependent hard problems, building on our extensive experience and research, including in the current SOSL; (2) advance our SoS community development activities; and (3) enhance our evaluation efforts regarding progress on the hard problems by bringing in experts on science evaluation.

Critical cyber systems must inspire trust and confidence, protect the privacy and integrity of data resources, and perform reliably. Therefore, a more scientific basis for the design and analysis of trusted systems is needed. In this proposal, we aim to progress the Science of Security. The Science of Security entails the development of a body of knowledge containing laws, axioms and provable theories relating to some aspect of system security. Security science should give us an understanding of the limits of what is possible in some security domain, by providing objective and quantifiable descriptions of security properties and behaviors. The notions embodied in security science should have broad applicability - transcending specific systems, attacks, and defensive mechanisms. A major goal is the creation of a unified body of knowledge that can serve as the basis of a trust engineering discipline, curriculum, and rigorous design methodologies. As such, we provide eight hard problems in the science of security. We also present representative projects which we feel will make progress in the discipline of the science of security.

According to a 2010 report that was based on the interviews from 2,800 Information Technology professionals worldwide, the gap between hacker threats and suitable security defenses is widening, and the types and numbers of threats are changing faster than ever before . In 2010, Jim Gosler, a fellow at the Sandia National Laboratory who works on countering attacks on U.S. networks, claimed that there are approximately 1,000 people in the country with the skills needed for cyber defense. Gosler went on to say that 20 to 30 times that many are needed. Additionally, the Chief Executive Officer (CEO) of the Mykonos Software security firm indicated that today's graduates in software engineering are unprepared to enter the workforce because they lack a solid understanding of how to make their applications secure. Particularly due to this shortage of security expertise, education of students and professionals already in the workforce is paramount. In this grant we provide a plan for motivating and providing software security education to students and professionals.