Collaborative Research: SaTC: TTP: Small: eSLIC: Enhanced Security Static Analysis for Detecting Insecure Configuration Scripts

协作研究：SaTC：TTP：小型：eSLIC：用于检测不安全配置脚本的增强安全静态分析

• 批准号: 2026928
• 负责人: Marcelo d'Amorim
• 金额: $ 20万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2026928&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; TTP; Small

Information technology (IT) organizations manage infrastructure using configuration scripts. Configuration scripts help practitioners to accomplish a wide range of jobs, including cloud computing, scientific research, and large-scale data analytics. Even though configuration scripts enable scalable and rapid delivery of software, security weaknesses in configuration scripts, such as hard-coded passwords, can result in security and privacy problems such as data breaches. Current research of configuration script security is limited in finding types of problems that can be detected, preventing false positives, and enabling actionability—all of which prohibits practitioners to take actions on the identified security weaknesses, potentially leaving computing systems open to security attacks. The project aims to address these limitations. The project’s novelties are development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages, heavily used in industry. The project's impacts are related to securing the national cyber infrastructure, educating the next generation IT workforce on cybersecurity, and broadening of participation through recruitment of underrepresented communities. The project will focus on the development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages heavily used in industry. Three main tasks will be investigated for this project. First, qualitative analysis is applied in order to determine a comprehensive list of security weaknesses for multiple configuration script languages, and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and machine learning techniques are applied, evaluated, and integrated into the derived static analysis so that false positives are reduced. Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses. Along with the three technical tasks, industry panels will be organized, where practitioners from industry will give feedback on the developed techniques and tools. Findings from the project will be disseminated to government, industry and open source practitioners, as well as to students who are learning about configuration management in graduate and undergraduate level courses related to cybersecurity. The project is expected to generate best practices for security code review, automated tools, and education materials essential to secure configuration script development. As a transition to practice (TTP) project, it will facilitate collaboration with industry practitioners, so that a comprehensive, holistic, practitioner-friendly security static analysis is achieved to secure configuration script development and management.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

信息技术(IT)组织使用配置脚本管理基础设施。配置脚本可帮助从业者完成广泛的工作，包括云计算、科学研究和大规模数据分析。尽管配置脚本能够实现可扩展和快速的软件交付，但配置脚本中的安全漏洞(如硬编码密码)可能会导致安全和隐私问题，如数据泄露。当前对配置脚本安全的研究仅限于发现可以检测到的问题类型、防止误报和实现可操作性-所有这些都禁止实践者对已识别的安全弱点采取行动，从而可能使计算系统面临安全攻击。该项目旨在解决这些限制。该项目的创新之处在于开发了技术和工具，这些技术和工具将自动检测使用广泛的语言开发的配置脚本中的安全漏洞，这些语言在工业中广泛使用。该项目的影响涉及确保国家网络基础设施的安全，教育下一代信息技术工作人员有关网络安全的知识，并通过招募代表性不足的社区扩大参与。该项目将侧重于开发技术和工具，以自动检测使用工业中广泛使用的各种语言开发的配置脚本中的安全漏洞。该项目将调查三项主要任务。首先，应用定性分析来确定多个配置脚本语言的安全弱点的全面列表，并设计静态分析技术来自动识别每一类安全弱点。接下来，应用、评估基于语法的分析和机器学习技术，并将其集成到派生的静态分析中，以减少误报。最后，将系统地挖掘来自开源和专有领域的从业者的开发环境，以生成可操作的警报和建议，从而使从业者能够修复安全弱点。除了三项技术任务外，还将组织行业小组，来自行业的从业者将就开发的技术和工具提供反馈。该项目的发现将传播给政府、行业和开源从业者，以及正在研究生和本科生水平的与网络安全相关的课程中学习配置管理的学生。该项目预计将为安全代码审查、自动化工具和安全配置脚本开发所必需的教育材料生成最佳实践。作为一个过渡到实践(TTP)项目，它将促进与行业从业者的合作，从而实现全面、全面、从业者友好的安全静态分析，以确保配置脚本的开发和管理。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。