Collaborative Research: SaTC: TTP: Small: eSLIC: Enhanced Security Static Analysis for Detecting Insecure Configuration Scripts
协作研究:SaTC:TTP:小型:eSLIC:用于检测不安全配置脚本的增强安全静态分析
基本信息
- 批准号:2247141
- 负责人:
- 金额:$ 24.47万
- 依托单位:
- 依托单位国家:美国
- 项目类别:Standard Grant
- 财政年份:2022
- 资助国家:美国
- 起止时间:2022-10-01 至 2024-09-30
- 项目状态:已结题
- 来源:
- 关键词:
项目摘要
Information technology (IT) organizations manage infrastructure using configuration scripts. Configuration scripts help practitioners to accomplish a wide range of jobs, including cloud computing, scientific research, and large-scale data analytics. Even though configuration scripts enable scalable and rapid delivery of software, security weaknesses in configuration scripts, such as hard-coded passwords, can result in security and privacy problems such as data breaches. Current research of configuration script security is limited in finding types of problems that can be detected, preventing false positives, and enabling actionability—all of which prohibits practitioners to take actions on the identified security weaknesses, potentially leaving computing systems open to security attacks. The project aims to address these limitations. The project’s novelties are development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages, heavily used in industry. The project's impacts are related to securing the national cyber infrastructure, educating the next generation IT workforce on cybersecurity, and broadening of participation through recruitment of underrepresented communities. The project will focus on the development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages heavily used in industry. Three main tasks will be investigated for this project. First, qualitative analysis is applied in order to determine a comprehensive list of security weaknesses for multiple configuration script languages, and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and machine learning techniques are applied, evaluated, and integrated into the derived static analysis so that false positives are reduced. Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses. Along with the three technical tasks, industry panels will be organized, where practitioners from industry will give feedback on the developed techniques and tools. Findings from the project will be disseminated to government, industry and open source practitioners, as well as to students who are learning about configuration management in graduate and undergraduate level courses related to cybersecurity. The project is expected to generate best practices for security code review, automated tools, and education materials essential to secure configuration script development. As a transition to practice (TTP) project, it will facilitate collaboration with industry practitioners, so that a comprehensive, holistic, practitioner-friendly security static analysis is achieved to secure configuration script development and management.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
信息技术(IT)组织使用配置脚本管理基础架构。配置脚本帮助从业者完成广泛的工作,包括云计算,科学研究和大规模数据分析。尽管配置脚本可以实现可扩展和快速的软件交付,但配置脚本中的安全漏洞(如硬编码密码)可能会导致数据泄露等安全和隐私问题。当前对配置脚本安全性的研究仅限于发现可检测到的问题类型、防止误报和启用可操作性-所有这些都禁止从业者对已识别的安全弱点采取行动,从而可能使计算系统对安全攻击敞开大门。该项目旨在解决这些限制。该项目的创新之处在于开发了技术和工具,可以自动检测使用广泛的语言开发的配置脚本中的安全漏洞,这些语言在工业中大量使用。该项目的影响涉及确保国家网络基础设施的安全,对下一代IT劳动力进行网络安全教育,以及通过招募代表性不足的社区扩大参与。 该项目将侧重于开发技术和工具,以自动检测使用工业中大量使用的各种语言开发的配置脚本中的安全弱点。本项目将研究三项主要任务。首先,应用定性分析,以确定一个全面的列表的安全弱点,多种配置脚本语言,并设计静态分析技术,自动识别每一类的安全弱点。接下来,基于语法的解析和机器学习技术被应用、评估并集成到派生的静态分析中,从而减少误报。最后,来自开源和专有领域的从业者的开发环境将被系统地挖掘,以生成可操作的警报和建议,这将使从业者能够修复安全漏洞。沿着这三项技术任务,将组织行业小组,来自行业的从业人员将对开发的技术和工具提供反馈。该项目的调查结果将分发给政府,行业和开源从业人员,以及正在学习与网络安全相关的研究生和本科生课程的学生。该项目预计将产生安全代码审查的最佳实践,自动化工具和安全配置脚本开发所必需的教育材料。作为一个过渡到实践(TTP)项目,它将促进与行业从业者的合作,从而实现全面、整体、对安全人员友好的安全静态分析,以确保配置脚本的开发和管理。该奖项反映了NSF的法定使命,并通过使用基金会的知识价值和更广泛的影响审查标准进行评估,被认为值得支持。
项目成果
期刊论文数量(10)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
Come for syntax, stay for speed, understand defects: an empirical study of defects in Julia programs
- DOI:10.1007/s10664-023-10328-5
- 发表时间:2023-06
- 期刊:
- 影响因子:4.1
- 作者:A. Rahman;Dibyendu Brinto Bose;Raunak Shakya;Rahul Pandita
- 通讯作者:A. Rahman;Dibyendu Brinto Bose;Raunak Shakya;Rahul Pandita
Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based infrastructure Management
检测和表征基于 Puppet 的基础设施管理中安全漏洞的传播
- DOI:10.1109/tse.2023.3265962
- 发表时间:2023
- 期刊:
- 影响因子:7.4
- 作者:Rahman, Akond;Parnin, Chris
- 通讯作者:Parnin, Chris
Survey - Ansible Test Smell
调查 - Ansible 测试气味
- DOI:10.6084/m9.figshare.21699269.v1
- 发表时间:2023
- 期刊:
- 影响因子:0
- 作者:Rahman, Akond
- 通讯作者:Rahman, Akond
Dataset - Defects in Ansible Infrastructure Orchestrator
数据集 - Ansible Infrastructure Orchestrator 中的缺陷
- DOI:10.6084/m9.figshare.21638090.v1
- 发表时间:2023
- 期刊:
- 影响因子:0
- 作者:Rahman, Akond
- 通讯作者:Rahman, Akond
Quality Assurance for Infrastructure Orchestrators: Emerging Results from Ansible
基础设施协调器的质量保证:Ansible 的新成果
- DOI:10.1109/icsa-c57050.2023.00073
- 发表时间:2023
- 期刊:
- 影响因子:0
- 作者:Zhang, Yue;Rahman, Muktadir;Wu, Fan;Rahman, Akond
- 通讯作者:Rahman, Akond
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
数据更新时间:{{ journalArticles.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ monograph.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ sciAawards.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ conferencePapers.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ patent.updateTime }}
Akond Ashfaque Rahman其他文献
Akond Ashfaque Rahman的其他文献
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
{{ truncateString('Akond Ashfaque Rahman', 18)}}的其他基金
SHF: Small: Resilient Operations for Deployment Units Used in Container Orchestration
SHF:小型:容器编排中使用的部署单元的弹性操作
- 批准号:
2312321 - 财政年份:2023
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
Authentic Learning Modules for DevOps Security Education
DevOps 安全教育的真实学习模块
- 批准号:
2310179 - 财政年份:2023
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
Authentic Learning Modules for DevOps Security Education
DevOps 安全教育的真实学习模块
- 批准号:
2209636 - 财政年份:2022
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
Collaborative Research: SaTC: TTP: Small: eSLIC: Enhanced Security Static Analysis for Detecting Insecure Configuration Scripts
协作研究:SaTC:TTP:小型:eSLIC:用于检测不安全配置脚本的增强安全静态分析
- 批准号:
2026869 - 财政年份:2020
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
相似国自然基金
Research on Quantum Field Theory without a Lagrangian Description
- 批准号:24ZR1403900
- 批准年份:2024
- 资助金额:0.0 万元
- 项目类别:省市级项目
Cell Research
- 批准号:31224802
- 批准年份:2012
- 资助金额:24.0 万元
- 项目类别:专项基金项目
Cell Research
- 批准号:31024804
- 批准年份:2010
- 资助金额:24.0 万元
- 项目类别:专项基金项目
Cell Research (细胞研究)
- 批准号:30824808
- 批准年份:2008
- 资助金额:24.0 万元
- 项目类别:专项基金项目
Research on the Rapid Growth Mechanism of KDP Crystal
- 批准号:10774081
- 批准年份:2007
- 资助金额:45.0 万元
- 项目类别:面上项目
相似海外基金
Collaborative Research: SaTC: CORE: Medium: Using Intelligent Conversational Agents to Empower Adolescents to be Resilient Against Cybergrooming
合作研究:SaTC:核心:中:使用智能会话代理使青少年能够抵御网络诱骗
- 批准号:
2330940 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Differentially Private SQL with flexible privacy modeling, machine-checked system design, and accuracy optimization
协作研究:SaTC:核心:中:具有灵活隐私建模、机器检查系统设计和准确性优化的差异化私有 SQL
- 批准号:
2317232 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: NSF-BSF: SaTC: CORE: Small: Detecting malware with machine learning models efficiently and reliably
协作研究:NSF-BSF:SaTC:核心:小型:利用机器学习模型高效可靠地检测恶意软件
- 批准号:
2338301 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Differentially Private SQL with flexible privacy modeling, machine-checked system design, and accuracy optimization
协作研究:SaTC:核心:中:具有灵活隐私建模、机器检查系统设计和准确性优化的差异化私有 SQL
- 批准号:
2317233 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: NSF-BSF: SaTC: CORE: Small: Detecting malware with machine learning models efficiently and reliably
协作研究:NSF-BSF:SaTC:核心:小型:利用机器学习模型高效可靠地检测恶意软件
- 批准号:
2338302 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Using Intelligent Conversational Agents to Empower Adolescents to be Resilient Against Cybergrooming
合作研究:SaTC:核心:中:使用智能会话代理使青少年能够抵御网络诱骗
- 批准号:
2330941 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Small: Towards Secure and Trustworthy Tree Models
协作研究:SaTC:核心:小型:迈向安全可信的树模型
- 批准号:
2413046 - 财政年份:2024
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
Collaborative Research: SaTC: EDU: RoCCeM: Bringing Robotics, Cybersecurity and Computer Science to the Middled School Classroom
合作研究:SaTC:EDU:RoCCeM:将机器人、网络安全和计算机科学带入中学课堂
- 批准号:
2312057 - 财政年份:2023
- 资助金额:
$ 24.47万 - 项目类别:
Standard Grant
Collaborative Research: SaTC: CORE: Small: Investigation of Naming Space Hijacking Threat and Its Defense
协作研究:SaTC:核心:小型:命名空间劫持威胁及其防御的调查
- 批准号:
2317830 - 财政年份:2023
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Small: Towards a Privacy-Preserving Framework for Research on Private, Encrypted Social Networks
协作研究:SaTC:核心:小型:针对私有加密社交网络研究的隐私保护框架
- 批准号:
2318843 - 财政年份:2023
- 资助金额:
$ 24.47万 - 项目类别:
Continuing Grant