ARGUS Overview
ARGUS is a groundbreaking static taint analysis system specifically designed to identify code injection vulnerabilities in GitHub Actions. It is the first of its kind, offering a unique approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines.
The system operates by tracking the flow of untrusted data across workflows and their associated actions, thereby identifying potential vulnerabilities. ARGUS has been meticulously tested on a large scale, analyzing over 2.7 million workflows and more than 31,000 actions. The results of this evaluation revealed critical code injection vulnerabilities in thousands of workflows and actions, highlighting the pervasive nature of such vulnerabilities in the GitHub Actions ecosystem.
ARGUS not only outperforms existing pattern-based vulnerability scanners but also underscores the necessity of taint analysis for effective vulnerability detection. The development and implementation of ARGUS represent a significant stride towards enhancing the security of GitHub Actions and CI/CD pipelines at large.
Github's Blog
GitHub published a blog post about our findings and also mentioned our tool. We are grateful for the support provided by them throughout our research.
Paper
Our paper is accepted at USENIX Security '23.
Code
Our tool is opensourced on GitHub. Please check out the repository for more details.
PoCs
We have developed PoCs for some randomly picked vulnerable workflows. The PoCs are currently restricted to induviduals who's identities we can verfiy, to prevent any misuse. If you are interested in obtaining the PoCs, please follow the steps mentioned here. You can select the PoC option while filling the form.
Bibtex
@inproceedings{muralee2023Argus, title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions}, author={S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck, A. Kapravelos, A. Machiry}, booktitle={32st USENIX Security Symposium (USENIX Security 23)}, year={2023}, }
ARGUS | PurS3 Lab at Purdue University | PurSec Lab at Purdue University | WSPR Lab at North Carolina State University