Collaborative Research: SaTC: TTP: Small: eSLIC: Enhanced Security Static Analysis for Detecting Insecure Configuration Scripts

协作研究：SaTC：TTP：小型：eSLIC：用于检测不安全配置脚本的增强安全静态分析

• 批准号: 2247141
• 负责人: Akond Ashfaque Rahman
• 金额: $ 24.47万
• 依托单位: Auburn University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247141&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; TTP; Small

Information technology (IT) organizations manage infrastructure using configuration scripts. Configuration scripts help practitioners to accomplish a wide range of jobs, including cloud computing, scientific research, and large-scale data analytics. Even though configuration scripts enable scalable and rapid delivery of software, security weaknesses in configuration scripts, such as hard-coded passwords, can result in security and privacy problems such as data breaches. Current research of configuration script security is limited in finding types of problems that can be detected, preventing false positives, and enabling actionability—all of which prohibits practitioners to take actions on the identified security weaknesses, potentially leaving computing systems open to security attacks. The project aims to address these limitations. The project’s novelties are development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages, heavily used in industry. The project's impacts are related to securing the national cyber infrastructure, educating the next generation IT workforce on cybersecurity, and broadening of participation through recruitment of underrepresented communities. The project will focus on the development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages heavily used in industry. Three main tasks will be investigated for this project. First, qualitative analysis is applied in order to determine a comprehensive list of security weaknesses for multiple configuration script languages, and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and machine learning techniques are applied, evaluated, and integrated into the derived static analysis so that false positives are reduced. Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses. Along with the three technical tasks, industry panels will be organized, where practitioners from industry will give feedback on the developed techniques and tools. Findings from the project will be disseminated to government, industry and open source practitioners, as well as to students who are learning about configuration management in graduate and undergraduate level courses related to cybersecurity. The project is expected to generate best practices for security code review, automated tools, and education materials essential to secure configuration script development. As a transition to practice (TTP) project, it will facilitate collaboration with industry practitioners, so that a comprehensive, holistic, practitioner-friendly security static analysis is achieved to secure configuration script development and management.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

信息技术（IT）组织使用配置脚本管理基础架构。配置脚本可帮助实践者完成广泛的工作，包括云计算，科学研究和大规模数据分析。即使配置脚本可以启用软件的可扩展和快速交付，但配置脚本中的安全弱点（例如硬编码密码）也会导致安全性和隐私问题，例如数据泄露。当前对配置脚本安全性的研究在查找可以检测到的问题的类型上受到限制，预防误报并实现可行性 - 所有这些都禁止从业者对已确定的安全弱点采取行动，并有可能使计算系统对安全攻击开放。该项目旨在解决这些限制。该项目的新颖性是技术和工具的开发，这些技术和工具将自动检测到使用多种语言开发的配置脚本中的安全弱点，这些语言在行业中大量使用。该项目的影响与确保国家网络基础设施，教育IT劳动力有关网络安全方面以及通过招募代表性不足的社区来扩大参与的影响有关。该项目将重点关注技术和工具的开发，这些技术和工具将自动检测使用在行业中广泛使用的各种语言开发的配置脚本中的安全弱点。首先，采用定性分析的三个主要任务，以确定多种配置脚本语言的安全弱点的全面列表，并设计静态分析技术，以自动识别每个类别的安全弱点。接下来，将基于语法的解析和机器学习技术应用，评估和集成到派生的静态分析中，以减少假阳性。最后，将系统地开采开源和专有领域的从业者的开发环境，以产生可行的警报和建议，这将使从业者能够解决安全弱点。除三个技术任务外，将组织行业小组，该行业的从业人员将就已发达的技术和工具提供反馈。该项目的调查结果将被传播到政府，行业和开源​​从业人员，以及正在学习与网络安全有关的研究生和本科课程中学习配置管理的学生。预计该项目将为安全法规审查，自动化工具和教育材料生成最佳实践，以确保配置脚本开发。作为对实践（TTP）项目的过渡，它将促进与行业实践者的合作，从而实现全面，整体，实践者友好的安全静态分析，以确保配置脚本的开发和管理。该奖项反映了NSF的法定任务，并认为通过基金会的知识绩效和广泛的crietia crietia crigitia criperia crigitia criperia cribitia criperia criperia criperia criperia criperia criperia criperia criperia criperia criperia scriperia scription he诚实。

项目成果

Come for syntax, stay for speed, understand defects: an empirical study of defects in Julia programs

• DOI: 10.1007/s10664-023-10328-5
• 发表时间: 2023-06
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: A. Rahman;Dibyendu Brinto Bose;Raunak Shakya;Rahul Pandita

Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based infrastructure Management

检测和表征基于 Puppet 的基础设施管理中安全漏洞的传播

• DOI: 10.1109/tse.2023.3265962
• 发表时间: 2023
• 期刊: IEEE Transactions on Software Engineering
• 影响因子: 7.4
• 作者: Rahman, Akond;Parnin, Chris
• 通讯作者: Parnin, Chris

Survey - Ansible Test Smell

调查 - Ansible 测试气味

• DOI: 10.6084/m9.figshare.21699269.v1
• 发表时间: 2023
• 期刊: figshare
• 作者: Rahman, Akond

Dataset - Defects in Ansible Infrastructure Orchestrator

数据集 - Ansible Infrastructure Orchestrator 中的缺陷

• DOI: 10.6084/m9.figshare.21638090.v1
• 发表时间: 2023
• 期刊: figshare
• 作者: Rahman, Akond

Quality Assurance for Infrastructure Orchestrators: Emerging Results from Ansible

基础设施协调器的质量保证：Ansible 的新成果

• DOI: 10.1109/icsa-c57050.2023.00073
• 发表时间: 2023
• 期刊: 2023 IEEE 20th International Conference on Software Architecture Companion (ICSA-C
• 作者: Zhang, Yue;Rahman, Muktadir;Wu, Fan;Rahman, Akond
• 通讯作者: Rahman, Akond