CICI:TCR:Software Supply Chain Security in High-Performance Computing: Understanding, Evaluation and Transition

About This Grant

Computational infrastructures have become a foundational enabler of scientific discovery across a range of critical domains, including seismic imaging, air quality monitoring, epidemiology, drug discovery, and nuclear engineering. As a result, ensuring the security of these infrastructures is paramount. Scientific computing ecosystems rely heavily on open-source software to develop, port, deploy, schedule, and manage computational codes. However, the open-source model inherently exposes projects to software supply chain threats. Real-world incidents have shown that adversaries can exploit this model by injecting malicious code into compromised repositories, thereby affecting downstream users. Even in the absence of malicious actors, open-source components may contain latent vulnerabilities that introduce significant security risks. Although extensive research has been conducted on understanding and mitigating software supply chain risks, their implications in the high-performance computing (HPC) context remain largely understudied. HPC environments—including their infrastructures, applications, and operational models—present distinct characteristics and challenges that may render conventional security approaches ineffective. This award, HPCSafeChain, addresses a pressing question: How can current security techniques be applied or adapted to confront software supply chain threats in the HPC domain? To this end, this project undertakes the following three key tasks. (1) Risk Characterization and Taxonomy Development: the HPCSafeChain project systematically identifies security risks specific to HPC software supply chains, analyzes the underlying challenges in mitigating them, and constructs a comprehensive taxonomy tailored to HPC. (2) Testbeds and Benchmarks: leveraging the constructed taxonomy, HPCSafeChain develops realistic testbeds and an attack benchmark to rigorously assess the effectiveness and limitations of existing security tools within HPC settings. (3) Technique Adaptation and Enhancement: HPCSafeChain investigates how existing software supply chain security techniques can be refined or extended to address the unique requirements and operational constraints of HPC environments. This project offers valuable insights into the security challenges faced by real-world HPC systems and creates distinctive research and educational opportunities for both undergraduate and graduate students. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.