NSF SAFE-OSE: TianoShield - Improving the Security Posture of the TianoCore Ecosystem

About This Grant

A firmware program is embedded in storage on a computer's motherboard to controls how computing devices start up their boot processes and interact with their operating systems after they are powered on. The program controls devices ranging from cloud servers to Internet of Things (IoT) platforms. The Unified Extensible Firmware Interface (UEFI) is an open standard for computing system firmware architecture. The TianoCore community implements various components of the UEFI. This implementation has resulted in a vibrant and mature open-source ecosystem with a significant impact on U.S. national security, safety, and privacy. Given the widespread use of the TianoCore repositories, security vulnerabilities could be leveraged by U.S. adversaries and other malicious actors to cause potentially massive-scale harm to U.S. citizens, businesses, and industries. This project focuses on enhancing the security of the TianoShield ecosystem and improving its overall open-source development process and practices. The enhancements and the tools developed as part of the TianoShield project can be extended to other ecosystems and repositories. Outcomes will include publication of experience reports, which can serve as references for future security enhancements. The TianoShield will advance knowledge in the fields of software security and software and systems engineering by mitigating the identified vulnerabilities in the source code of the TianoCore repositories and the UEFI supply chain risks. This security improvement will occur through three thrusts: 1) rapid triaging of existing bug reports, which comprises enhancing existing bug reports using Large Language Models (LLMs), and proactive patching of known bugs and vulnerabilities; 2) enabling and extending the deployment of state-of-the-art static and dynamic security analysis tools; and 3) enabling streamlined bug handling, which includes enhancing structured bug reporting practices leveraging LLMs, and improving the CI/CD (Continuous Integration and Continuous Delivery/Deployment) pipelines to foster security and automation. In collaboration with industry partners, the project team will work with the TianoCore community to ensure that activities are integrated in an automated manner into the software development and maintenance workflows of the TianoCore projects. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.