The Marina USA is looking for private partners for the research and development of its proprietary security technology based on blockchain called PARANOID.
This is a solution to protect the software that manages the supply chain, and that leverages the blockchain to ensure the security of software development environments and to verify the finished software.
For now it is still just a prototype (TRL5), and it consists of a blockchain infrastructure based on Hyperledger, a server application, a plug-in for Visual Studio and Visual Studio Code, and an offline software verification application.
Summary
Marina USA: The opening to private individuals of the blockchain project Paranoid
According to the press release issued a few days ago, the Navy is looking to partner with private industry for the development of this software that allows traceability and demonstrability in software development.
The software has now become an integral part of both military aircraft and vehicles and weapon systems, so a solution is needed to ensure a secure software supply chain. For this reason, Paranoid has been developed.
Now the objective of the Marina would even be to commercialize this innovation, although originally Paranoid was developed solely to support the secure development, particularly of avionics software for the aeronautical programs of the Naval Aviation Enterprise (NAE).
However, this solution is theoretically applicable to any organization or company that needs full traceability with certain demonstrability for software development, in order to prevent attacks that could occur during the development itself.
Paranoid is available for private enterprises through TechLink, the national partner for technology transfer of the Department of Defense, but the Navy also offers private developers a cooperative research and development agreement (CRADA) that allows collaboration between government entities and private companies.
The senior technology manager of TechLink, Nida Shaikh, stated:
“An ideal CRADA partner would be a company interested in developing a solution to protect the software supply chain. This would include companies in the field of software development that would be willing to install and test PARANOID for feedback and scalability.”Â
What is Paranoid
This new technology was invented by NAWCAD, that is, the Aircraft Division of the Naval Air Warfare Center in Lakehurst, New Jersey.
The problem to solve was the verification of security in all stages of the software development process, from the creation and modification of the raw source code to its compilation, up to the creation of a final application and its delivery to the end user.
The fact is that each of these steps theoretically contains countless opportunities to launch cyber attacks, both from inside and outside, such as secretly inserting malicious code or swapping one file with another.
The PARANOID method solves the problem by ensuring the integrity of the software throughout its entire lifecycle thanks to the blockchain.
The already existing prototype, operating at the so-called Technology Readiness Level 5 (TRL5), integrates with already existing open source development environments, such as Visual Studio and Visual Studio Code, and links developers’ actions to blockchain transactions.
According to the inventors of PARANOID, this methodology on blockchain has proven to be a viable approach to support comprehensive traceability and strong demonstrability of the integrity of the development system for mission-critical software.
The advantage is that the blockchain is an unalterable ledger that can be consulted by everyone, directly and without intermediaries. Any alteration of the blocks would be immediately detected.
All participating computers hold a copy of this ledger, so they can verify it without having to resort to intermediaries, and all transactions are verified and updated according to the public protocol.
With PARANOID, every development of a critical software is a transaction on the blockchain, therefore any unforeseen changes or other cyber attacks are detected immediately.
The objective is to effectively prevent unauthorized modifications of the source code, but also the unauthorized replacement or insertion of files, objects, executables, and test packages. Â
The blockchain beyond cryptocurrencies
The first example of a public and decentralized blockchain appeared in January 2009 with the mining of the first block of Bitcoin, by Satoshi Nakamoto.
Initially, this technology was used only in the field of criptovalute, but later it was realized that its characteristics made it excellent for other types of use as well, including, for example, NFT.
Specifically, a public and decentralized blockchain proves to be unassailable and unmodifiable, because anyone can verify firsthand that all transactions are correct.
In the case of Paranoid, however, a public blockchain is not used, for obvious reasons, but a permissioned DLT (Hyperledger) which nevertheless plays a very similar role.
In fact, anyone working on software managed with Paranoid will have direct access to the chain of software transactions, so they can verify firsthand and without intermediaries that all transactions are correct.
It is imaginable that there are different levels of access, and that the data from different software will not be shared even among the different development teams, and given that Paranoid is already in use in TRL5, it is imaginable that this technology actually works well.
It should be remembered that it is not necessary to register the code itself on the blockchain, but it is sufficient to register a validation hash of the code so that from the hash it is not possible in any way to trace back to the code, but it can be used with absolute certainty to validate it, thus allowing one to verify firsthand and without intermediaries that the software being used corresponds exactly to what is certified on the blockchain.
