The Navy invention enables traceability and provability in software development

A typical software development process involves several key steps, from editing and compiling the raw source code to creating a final application and sending it to an end user. Every point of this lifecycle contains countless windows of opportunity for cyberattack. For example, an attacker may attempt to inject malicious code or swap one file with another to disrupt and sabotage software users.

Given that software has become an integral part of military aircraft, vehicles, and weapons systems, the need for solutions that ensure a secure software supply chain are more critical than ever. To this end, the Naval Air Warfare Center’s Aircraft Division (NAWCAD) at Lakehurst, New Jersey, has invented a new technology that leverages blockchain to both secure software development environments and verify finished software.

The method, known as “PARANOID” (Powerful Authentication Regime Applicable to Naval Operational Flight Program Integrated Development), guarantees the integrity of software throughout its lifecycle. The working prototype, currently at Technology Readiness Level (TRL) 5 (out of a 1-9 scale), integrates with existing open-source development environments, such as Visual Studio and Visual Studio Code, to tie developer actions to blockchain transactions.

“Blockchain methods are shown to be a viable approach for supporting exhaustive traceability and strong provability of development system integrity for mission-critical software,” wrote the inventors in a study on PARANOID published by Journal of Defense Analytics and Logistics.

In essence, blockchain is an unalterable shared ledger that records groups of transactions called blocks. Blocks are cryptographically “chained” together, meaning that no one can change any transaction data without being immediately detected. All participating computers have a copy of the ledger, and all transactions are verified and updated in consensus. Blockchain is best known as the heart of cryptocurrency, but it is also used for real estate transactions and inventory tracking.

With PARANOID, every critical software development is a transaction on a blockchain. Any malicious modifications or other cyberattacks will be spotted instantly. The invention effectively prevents unauthorized source code changes, as well as unauthorized swapping or injection of object files, executables, and proof packages.

Commercialization of Navy Innovation

PARANOID was originally developed to support the secure software development of avionics software for the Naval Aviation Enterprise (NAE) aircraft programs. However, the approach is applicable to any organization or company that requires traceability and provability in software development to prevent attacks on their software development.

This novel technology is now available to private businesses for commercialization via TechLink, the national technology transfer partner for the Department of Defense. In particular, the inventors are interested in exploring a CRADA, or cooperative research and development agreement, that allows a government agency and a private company to work together on R&D. To facilitate the timely transfer of Navy inventions, TechLink’s staff of certified licensing professionals provide no-cost consultation and facilitation services to support a company’s application for a license agreement or a CRADA. TechLink can also help companies establish a mutually beneficial relationship with the Navy.

In collaboration with the Navy’s Technology Transfer Program, Nida Shaikh, senior technology manager at TechLink, is assisting qualified companies with evaluating the research and the patent licensing process.

"An ideal CRADA partner would be a company interested in developing a solution for securing software supply chains," Shaikh said. "This would include companies in the realm of software development who would be willing to install and test PARANOID for feedback and scalability."

More information about this available technology, including the patent, can be found here or by contacting TechLink.