Collaborative Research: SaTC: CORE: Medium: Securing Continuous Integration Workflows

协作研究：SaTC：核心：中：确保持续集成工作流程的安全

• 批准号: 2247687
• 负责人: Nikos Vasilakis
• 金额: $ 40万
• 依托单位: Brown University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2027-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247687&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Continuous Integration (CI) has become essential to the modern software development cycle. Developers engineer CI scripts, commonly called workflows or pipelines, to automate most software maintenance tasks, such as testing and deployment. Developers frequently misconfigure workflows resulting in severe security issues, which can have devastating effects resulting in supply-chain attacks. The extreme diversity of CI platforms and the supported features further exacerbate the problem and make it challenging to specify and verify security properties across different CI platforms uniformly. This project addresses the problem by defining the desired security properties of a workflow and developing platform-independent techniques to verify and enforce the security properties. Furthermore, this research will support the cross-disciplinary development of a diverse cohort of Ph.D. and undergraduate students, graduate-level courses, and a gamified training environment for workflow security analysis.This project defines the required security properties of CI workflows and develops methods to verify and specify these properties. This requires techniques that can work in a platform-independent manner to handle the diversity of CI platforms. The project handles this through indirection by designing Workflow Intermediate Representation (WIR) and Workflow Specification Language (WSL). WIR and WSL enable platform-agnostic verification and specification of workflow security properties, respectively. The verification of security properties will be performed through Workflow Analysis Framework (WAF) that supports both static and dynamic analysis passes over workflows encoded in a platform-agnostic WIR. WSL, a domain-specific language, allows developers to specify workflows and their security properties in a platform-independent manner. Designing an effective WSL requires understanding developers' perspectives and challenges in engineering workflows and specifying security properties. In this context, this project performs necessary developer studies to gain insights about the above aspects. The project also develops a bidirectional compilation infrastructure for translating workflows from WSL to platform-specific versions, enabling compatibility with existing platforms. Furthermore, the project also aims to create, collect, and catalog a large corpus of representative workflows across different platforms.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

持续集成 (CI) 已成为现代软件开发周期的关键。开发人员设计 CI 脚本（通常称为工作流或管道）来自动执行大多数软件维护任务，例如测试和部署。开发人员经常错误配置工作流程，从而导致严重的安全问题，这可能会产生破坏性影响，导致供应链攻击。 CI 平台的极端多样性和支持的功能进一步加剧了这个问题，并使跨不同 CI 平台统一指定和验证安全属性变得具有挑战性。该项目通过定义工作流所需的安全属性并开发独立于平台的技术来验证和强制执行安全属性来解决该问题。此外，这项研究将支持多元化博士群体的跨学科发展。本科生、研究生课程以及用于工作流安全分析的游戏化培训环境。该项目定义了 CI 工作流所需的安全属性，并开发了验证和指定这些属性的方法。这需要能够以独立于平台的方式工作的技术来处理 CI 平台的多样性。该项目通过设计工作流中间表示（WIR）和工作流规范语言（WSL）来间接处理这个问题。 WIR 和 WSL 分别支持与平台无关的验证和工作流安全属性规范。安全属性的验证将通过工作流分析框架 (WAF) 执行，该框架支持对平台无关的 WIR 中编码的工作流进行静态和动态分析。 WSL 是一种特定于域的语言，允许开发人员以独立于平台的方式指定工作流及其安全属性。设计有效的 WSL 需要了解开发人员在工程工作流程和指定安全属性方面的观点和挑战。在此背景下，该项目进行了必要的开发人员研究，以获得有关上述方面的见解。该项目还开发了一个双向编译基础设施，用于将工作流程从 WSL 转换为特定于平台的版本，从而实现与现有平台的兼容性。此外，该项目还旨在创建、收集和编目跨不同平台的代表性工作流程的大型语料库。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。