NSF-Safe-OSE: Strengthening HDF5 for Science, Industry, and National Security Applications

This project enhances the safety, security, and privacy of the Hierarchical Data Format version 5 (HDF5), a widely used data management system critical in scientific research, industry, healthcare, finance, and national security. Given HDF5’s role in handling large, complex datasets across various applications, vulnerabilities within its infrastructure pose significant risks. This project systematically identifies and addresses these vulnerabilities, creating safer data management solutions to advance scientific discovery, protect national security interests, and support economic growth. By enhancing HDF5’s robustness, the initiative seeks to strengthen U.S. leadership in scientific and technological innovation, thereby providing lasting competitive advantages in data management. The enhanced HDF5 infrastructure will particularly benefit national laboratories, healthcare providers, educational institutions, and industries that rely on secure and reliable data systems. Through community engagement and rigorous safety practices, the project directly contributes to national health, prosperity, and security by strengthening the foundational data technologies that underpin modern scientific, industrial, and societal infrastructures.

This project addresses critical safety, security, and privacy (SSP) vulnerabilities within HDF5 through comprehensive audit and mitigation phases. The audit systematically investigates seven vulnerability categories, including file format, library-level issues, extensions, toolchain dependencies, operational usage, privacy leaks, and supply chain risks. It utilizes static and dynamic analysis tools, threat modeling, and community-driven bug discovery initiatives to identify vulnerabilities. Mitigation activities follow two parallel tracks: Track A enhances the core HDF5 library and file format through code refactoring, input validation, buffer overflow resolutions, and the introduction of secure-by-default behaviors. Track B secures the broader ecosystem by standardizing safer development templates, hardening extensions, and interfaces, and ensuring robust distribution practices through signed packages and reproducible builds. Key deliverables include updated, hardened software releases, comprehensive security playbooks, enhanced plugin management frameworks, and strategies for migrating critical modules to memory-safe languages. The project’s structured community engagement ensures continuous input and adoption of best practices, significantly strengthening the security posture of HDF5 and its extensive user base across many sectors.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Award Number: 2534078
Principal Investigator: Gerd Heber
Funds Obligated: $1,500,000
State: IL