Collaborative Research: SaTC: CORE: Medium: Securing Continuous Integration Workflows

协作研究：SaTC：核心：中：确保持续集成工作流程的安全

• 批准号: 2247688
• 负责人: Alexandros Kapravelos
• 金额: $ 40万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247688&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Continuous Integration (CI) has become essential to the modern software development cycle. Developers engineer CI scripts, commonly called workflows or pipelines, to automate most software maintenance tasks, such as testing and deployment. Developers frequently misconfigure workflows resulting in severe security issues, which can have devastating effects resulting in supply-chain attacks. The extreme diversity of CI platforms and the supported features further exacerbate the problem and make it challenging to specify and verify security properties across different CI platforms uniformly. This project addresses the problem by defining the desired security properties of a workflow and developing platform-independent techniques to verify and enforce the security properties. Furthermore, this research will support the cross-disciplinary development of a diverse cohort of Ph.D. and undergraduate students, graduate-level courses, and a gamified training environment for workflow security analysis.This project defines the required security properties of CI workflows and develops methods to verify and specify these properties. This requires techniques that can work in a platform-independent manner to handle the diversity of CI platforms. The project handles this through indirection by designing Workflow Intermediate Representation (WIR) and Workflow Specification Language (WSL). WIR and WSL enable platform-agnostic verification and specification of workflow security properties, respectively. The verification of security properties will be performed through Workflow Analysis Framework (WAF) that supports both static and dynamic analysis passes over workflows encoded in a platform-agnostic WIR. WSL, a domain-specific language, allows developers to specify workflows and their security properties in a platform-independent manner. Designing an effective WSL requires understanding developers' perspectives and challenges in engineering workflows and specifying security properties. In this context, this project performs necessary developer studies to gain insights about the above aspects. The project also develops a bidirectional compilation infrastructure for translating workflows from WSL to platform-specific versions, enabling compatibility with existing platforms. Furthermore, the project also aims to create, collect, and catalog a large corpus of representative workflows across different platforms.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

连续集成（CI）已成为现代软件开发周期至关重要的。开发人员工程师CI脚本（通常称为工作流或管道）可以自动化大多数软件维护任务，例如测试和部署。开发人员经常错误地配置工作流导致严重的安全问题，这可能会产生毁灭性的影响，从而导致供应链攻击。 CI平台和受支持的功能的极端多样性进一步加剧了问题，并使在统一的不同CI平台上指定和验证安全性属性具有挑战性。该项目通过定义工作流程的所需安全属性和开发与平台无关的技术来验证和执行安全属性，从而解决了问题。此外，这项研究将支持各种博士学位的跨学科发展。以及本科生，研究生级课程以及用于工作流安全性分析的游戏培训环境。本项目定义了CI工作流的必要安全性，并开发了验证和指定这些属性的方法。这需要以独立于平台的方式来处理CI平台多样性的技术。该项目通过设计工作流中间表示（WIR）和工作流规范语言（WSL）来处理此问题。 WIR和WSL分别启用了平台 - 不可能的验证和工作流安全性属性的规范。安全性属性的验证将通过工作流分析框架（WAF）进行，该框架支持静态和动态分析的验证，传递在平台 - 不平衡的WIR中编码的工作流程。 WSL是一种特定领域的语言，允许开发人员以独立于平台的方式指定工作流及其安全性属性。设计有效的WSL需要了解开发人员在工程工作流程和指定安全属性方面的观点和挑战。在这种情况下，该项目执行了必要的开发人员研究，以获取有关上述方面的见解。该项目还开发了双向汇编基础架构，用于将工作流程从WSL转换为特定于平台的版本，从而与现有平台兼容。此外，该项目还旨在创建，收集和对不同平台上的代表性工作流进行大量代表性工作。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子和更广泛影响的评估评估标准来通过评估来支持的。