Digital innovation is the source of competitiveness and value creation for many types of businesses. The universal desire for rapid digital innovation demands efficient reuse of software code building blocks, which has increased the dependence upon open source and third-party libraries and tools that comprise the software supply chain. Adversaries have moved from finding and exploiting vulnerabilities in end products to a new generation of supply chain attacks where attackers aggressively implant malicious code directly into artifacts in the supply chain and find their way into build and deployment pipelines. Digital innovation depends upon confidence in the software supply chain. As such, our research will enable the following vision: The software industry can rapidly innovate with confidence in the security of their software supply chain. The challenge of software supply chain security has recently received significant interest from industry and government. However, discussions with key stakeholders indicate that the state-of-the-art is preliminary, motivating scientific research to address the underlying fundamental challenges that will limit the practical success of existing approaches. We tackle the challenges of secure software supply chain through three thrusts: prevention, detection, and response, with an explicit objective of moving toward preventing security failures. For each thrust, we consider five hard security problems: (1) Scalability and Composability, such as detecting malicious commits and hardening containers; (2) Policy-governed Secure Collaboration, such as effective use of Software Bill of Materials; (3) Predictive Security Metrics, such as measuring the exploitability of vulnerabilities; (4) Resilient Architectures, such as isolation and sandboxing of components; and (5) Human Behavior, such as studying how to make software developers make more secure decisions. The project will impact the software industry by engaging with current industry players/community, enabling their participation in our research thrusts. Additionally, the project will involve educating the next generation of engineers to eradicate software supply chain security issues and training current employees to make them aware of these issues to help reduce them. To solve these challenging issues, we have created a multidisciplinary proposing team committed to diversity.

Continuous Integration (CI) has become an essential component of the modern software development cycle. Developers engineer CI scripts, commonly called workflows or pipelines, to automate most software maintenance tasks, such as testing and deployment. Security issues in workflows can have devastating effects resulting in supply-chain attacks. We propose to handle these research challenges by (1) defining a threat model and deriving security properties from first principles; (2) developing a framework based on our Workflow Intermediate Representation (WIR) that enables us to verify and define security properties in a platform-agnostic way.

We study the web differently from how users explore it, as browsers are not meant to be monitoring tools. Researchers build either ad-hoc solutions or use high-level information from the browser that is inadequate to identify some of the most advanced web attacks. This research aims at building the fundamental blocks for studying an increasingly complex web by developing a monitoring platform that sheds light into the inner workings of modern browsers and websites. Our research outcomes will allow any researcher, web developer or web user to understand better how the web works.

Fingerprinting has been a known threat to web privacy for over a decade. Yet, automated detection of fingerprinting methods and scripts has been lacking the properties for protecting web users from such an evolving web threat. Our proposed work aims to provide novel detection methods for browser fingerprinting both at its core, the browser and the evolution of its APIs, and at the page level, via dynamic analysis ofJavaScript. We also propose developing countermeasures that are capable of performing more fine-grained blocking not only at the script level, but also at the API level where an instance of a script/API will be blocked depending on inferring the underlying intent behind executing the script or accessing the API.

Modern web applications are the cornerstone of much of our online life. Unfortunately, web appli- cations are a complex mix of different technology stacks (e.g., HTML, JavaScript, and PHP), and this complexity breeds security vulnerabilities that allow an adversary to launch successful attacks. Thus, we require new approaches and techniques to tame the complexity that seems inherent to web applications. Building on the success and impact of our existing XS-SHREDDER efforts, the project proposed herein will research and develop novel, complementary, and synergistic capabilities that will improve the result and applicability of debloating to all layers of the web-application stack. These results will be demonstrated with proof-of-concept prototypes that we will quantitatively evaluate based on the reduction of code and known vulnerabilities. At the same time these prototypes should facilitate easy transition to customers within the Navy and beyond.

The recent Cyber Grand Challenge (CGC) showed progress in the ability of computers to discover and patch vulnerabilities, but these programs are still far from being able to compete against human players. In order to cope with the state-explosion problem that is now limiting our ability to automatically analyze binary programs, we need to design a new class of solutions inspired by expert humans behavior. In this project, instead of blindly analyzing as many nodes as possible trying to explore the search space exhaustively, we are going to develop new techniques to explore it more intelligently.

The web evolves continuously and we currently lack the tools to monitor how it is changing and how this affects the security of internet users. Characterizing website behavior will help both users and organizations to understand the website they visit/operate. Our goal in this project is to identify at real-time websites that their behavior diverges from their expected behavior and thus indicate that they have been compromised. We are going to develop a publicly available system that performs continuous website behavior analysis and reports of changes in behavior that occur over time.

The browser is constantly evolving to meet the demands of Web applications. Although this evolution supports the innovation that we see on the internet, there are security implications that we need to consider, such as attacks against the browser that leverage bugs that occur from the rapid development. In this project, we plan to examine how certain web applications work and associate their behavior directly with the corresponding browser functionality. Our goal is to be able to characterize what functionality is need from the browser when rendering a page and certain components. By building a system like this we will be able to identify for example what is needed from the browser to render a web advertisement. To better protect the internet users, we are going to leverage that information so that we can identify when web applications diverge from their expected behavior and attack the users' browser. We will use this information to limit the exposed functionality to the web applications and eliminate this way multiple classes of attacks, such as browser fingerprinting and drive-by downloads.

The goal of this project is to turn the tables against the attackers and use threat-intelligence information, from a diverse set of sources and formats, to predict in real time the next generation of attacks against the web.

Modern web applications are incredibly complex pieces of software, with frameworks and libraries that assist web developers to write their applications quickly. However, these frameworks and libraries increase the attack surface of the web application. In this proposal, we present the design of a framework, called XS-Shredder, which is able to debloat all layers of the web application software stack: client-side code, server-side code, database, and operating system. This framework will perform analysis inter- and intra-layer, ultimately resulting in a web application that is semantically identically, yet with a significantly reduced attack surface.