Collaborative Research: SaTC: CORE: Medium: Securing Continuous Integration Workflows
North Carolina State University, Raleigh NC
Investigators
Abstract
Continuous Integration (CI) has become essential to the modern software development cycle. Developers engineer CI scripts, commonly called workflows or pipelines, to automate most software maintenance tasks, such as testing and deployment. Developers frequently misconfigure workflows resulting in severe security issues, which can have devastating effects resulting in supply-chain attacks. The extreme diversity of CI platforms and the supported features further exacerbate the problem and make it challenging to specify and verify security properties across different CI platforms uniformly. This project addresses the problem by defining the desired security properties of a workflow and developing platform-independent techniques to verify and enforce the security properties. Furthermore, this research will support the cross-disciplinary development of a diverse cohort of Ph.D. and undergraduate students, graduate-level courses, and a gamified training environment for workflow security analysis. This project defines the required security properties of CI workflows and develops methods to verify and specify these properties. This requires techniques that can work in a platform-independent manner to handle the diversity of CI platforms. The project handles this through indirection by designing Workflow Intermediate Representation (WIR) and Workflow Specification Language (WSL). WIR and WSL enable platform-agnostic verification and specification of workflow security properties, respectively. The verification of security properties will be performed through Workflow Analysis Framework (WAF) that supports both static and dynamic analysis passes over workflows encoded in a platform-agnostic WIR. WSL, a domain-specific language, allows developers to specify workflows and their security properties in a platform-independent manner. Designing an effective WSL requires understanding developers' perspectives and challenges in engineering workflows and specifying security properties. In this context, this project performs necessary developer studies to gain insights about the above aspects. The project also develops a bidirectional compilation infrastructure for translating workflows from WSL to platform-specific versions, enabling compatibility with existing platforms. Furthermore, the project also aims to create, collect, and catalog a large corpus of representative workflows across different platforms. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →