Overview
Continuous Integration (CI) has become essential to the modern software development cycle. Developers engineer CI scripts, commonly called workflows or pipelines, to automate most software maintenance tasks, such as testing and deployment.
Developers frequently misconfigure workflows resulting in severe security issues, which can have devastating effects resulting in supply-chain attacks. The extreme diversity of CI platforms and the supported features further exacerbate the problem and make it challenging to specify and verify security properties across different CI platforms uniformly. In this area, we aim to addresses the problem by defining the desired security properties of a workflow and developing platform-independent techniques to verify and enforce the security properties.
Projects
ARGUS
ARGUS is a groundbreaking static taint analysis system specifically designed to identify code injection vulnerabilities in GitHub Actions. It is the first of its kind, offering a unique approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines.
LLM4GW
LLM4GW is the first comprehensive study to assess how effective Large Language Models (LLMs) are for tasks related to GitHub workflows.
Team
Our projects are built by Purdue Systems and Software Security Lab (PurS3) and PurSec Lab at Purdue University
and Wolfpack Security and Privacy Research (WSPR) lab at North Carolina State University.
Funding
We are greatful to the following sources for funding the projects.
SecureCI | PurS3 Lab at Purdue University | PurSec Lab at Purdue University | WSPR Lab at North Carolina State University