NSF Safe-OSE: Strengthening Critical Privacy Infrastructure

This Safety, Security, and Privacy of Open-Source Ecosystems (Safe-OSE) project focuses on improving a critical piece of open-source software utilized by U.S. government agencies for national security and foreign policy purposes, by U.S.-based companies and organizations to deliver their services, and by individual citizens of the U.S. to bolster their privacy online. The project will focus on transitioning the software to a stronger form of encryption, ensuring that all users of the software are protected against evolving threats posed by quantum computing. The project will also resolve vulnerabilities posed by a variety of other threats that can compromise the safety, security, or privacy of the software’s users, including threats from outside governments, potential malicious developers who might try to inject compromised code into the software’s dependencies, and insiders that have had their accounts compromised through phishing attacks, and more.

This Safe-OSE project addresses the software’s (1) potential weakness to decryption caused by its use of pre-quantum encryption algorithms and (2) potential weaknesses to socio-technical threats like supply-chain attacks, long- and short-term infiltration, foreign government compromise, and compromised infrastructure. The project will (a) convert existing threat model findings into concrete security implementation measures; (b) implement supply chain resilience for automated dependency management; (c) provide a reproducible implementation of the software; and (d) integrate a standardized post-quantum cryptographic key exchange mechanism into the software. In mitigating these vulnerabilities, this project develops and publicly releases analysis, code, and tools that can be reviewed, evaluated, and reused by software developers. The project benefits other open-source software projects facing similar challenges, and will be of particular use to other projects with limited resources. The anticipated outcomes of this project are the use of the software to advance national security and foreign policy goals, to deliver company and industry services, and to bolster individuals' online privacy with increased safety, security, and privacy measures.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Award Number: 2534285
Principal Investigator: Micah Anderson
State: NH