-
Notifications
You must be signed in to change notification settings - Fork 0
/
argus.html
126 lines (115 loc) · 6.9 KB
/
argus.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<!doctype html>
<html>
<head>
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-EER1LDV4TH"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-EER1LDV4TH');
</script>
<title>ARGUS</title>
<meta charset="utf-8" name="viewport" content="width=device-width, initial-scale=1">
<link href="css/frame.css" media="screen" rel="stylesheet" type="text/css" />
<link href="css/controls.css" media="screen" rel="stylesheet" type="text/css" />
<link href="css/custom.css" media="screen" rel="stylesheet" type="text/css" />
<link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Open+Sans+Condensed:300,700' rel='stylesheet' type='text/css'>
<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,700" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="js/menu.js"></script>
<style>
.menu-index {
color: rgb(255, 255, 255) !important;
opacity: 1 !important;
font-weight: 700 !important;
}
</style>
</head>
<body>
<div class="menu-container"></div>
<div class="content-container">
<div class="content">
<div class="content-table flex-column">
<!-------------------------------------------------------------------------------------------->
<!--Start Intro-->
<div class="flex-row">
<div class="flex-item flex-column">
<h2 class="add-top-margin">ARGUS Overview</h2>
<hr>
<p style="font-size:14pt;">
ARGUS is a groundbreaking static taint analysis system specifically designed to identify code injection vulnerabilities in GitHub Actions. It is the first of its kind, offering a unique approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines.
</p>
<p style="font-size:14pt;">
The system operates by tracking the flow of untrusted data across workflows and their associated actions, thereby identifying potential vulnerabilities. ARGUS has been meticulously tested on a large scale, analyzing over 2.7 million workflows and more than 31,000 actions. The results of this evaluation revealed critical code injection vulnerabilities in thousands of workflows and actions, highlighting the pervasive nature of such vulnerabilities in the GitHub Actions ecosystem.
</p>
<p style="font-size:14pt;">
ARGUS not only outperforms existing pattern-based vulnerability scanners but also underscores the necessity of taint analysis for effective vulnerability detection. The development and implementation of ARGUS represent a significant stride towards enhancing the security of GitHub Actions and CI/CD pipelines at large.
</p>
<h2 class="add-top-margin"> Github's Blog </h2>
<p style="font-size:14pt;">
GitHub published a <a href="https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/" target="_blank">blog post</a> about our findings and also mentioned our tool. We are grateful for the support provided by them throughout our research.
<h2 class="add-top-margin">Paper</h2>
<p style="font-size:14pt;">
<a href="https://www.usenix.org/conference/usenixsecurity23/presentation/muralee" target="_blank">Our paper</a> is accepted at USENIX Security '23.
<h2 class="add-top-margin">Code</h2>
<p style="font-size:14pt;">
Our tool is opensourced on <a href="https://github.com/purs3lab/ARGUS" target="_blank"> GitHub</a>. Please check out the repository for more details.
</p>
<h2 class="add-top-margin">PoCs</h2>
<p style="font-size:14pt;">
We have developed PoCs for some randomly picked vulnerable workflows. The PoCs are currently restricted to induviduals who's identities we can verfiy, to prevent any misuse. If you are interested in obtaining the PoCs, please follow the steps mentioned <a href="dataset.html">here</a>. You can select the PoC option while filling the form.
</p>
<h2 class="add-top-margin">Bibtex</h2>
<pre>
@inproceedings{muralee2023Argus,
title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions},
author={S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck,
A. Kapravelos, A. Machiry},
booktitle={32st USENIX Security Symposium (USENIX Security 23)},
year={2023},
}
</pre>
</div>
<!-- <div class="flex-item flex-column">
<p style="font-size:14pt;">Until now the following institutions were given access:</p>
<ol>
</ol>
</div> -->
</div>
<!--End Intro-->
<!-------------------------------------------------------------------------------------------->
<!--Start Team-->
<!-- <div class="flex-row">
<div class="flex-item flex-column">
<h2 class="add-top-margin">Team</h2>
<hr>
<p style="font-size:14pt;">
The ARGUS is built by <a href="https://purs3lab.github.io/" target="_blank">Purdue Systems and Software Security Lab (PurS3) and <a href="https://pursec.cs.purdue.edu/" target="_blank"> PurSec Lab </a> at <a href="https://www2.purdue.edu/" target="_blank">Purdue University</a> <br/> and <a href="https://wspr.csc.ncsu.edu/" target="_blank">Wolfpack Security and Privacy Research (WSPR)</a> lab at <a href="https://ncsu.edu" target="_blank"> North Carolina State University</a>.
</p>
<div align="center" display="flex">
<img src="./img/purdue.png" height = "120" alt="purdue" align="center" />
     
<img src="./img/ncsu.png" height = "125" alt="ncsu" align="center" />
</div>
</div>
</div> -->
<!--End Team-->
<!-------------------------------------------------------------------------------------------->
<!--Start Credits-->
<div class="flex-row">
<div class="flex-item flex-item-stretch flex-column">
<br /><br />
<p class="text text-small text-italic">
ARGUS | <span class="highlight-text">PurS3 Lab</span> at <span class="highlight-text">Purdue University</span> | <span class="highlight-text">PurSec Lab</span> at <span class="highlight-text">Purdue University</span> | <span class="highlight-text">WSPR Lab</span> at <span class="highlight-text">North Carolina State University</span>
</p>
</div>
</div>
<!--End Credits-->
<!-------------------------------------------------------------------------------------------->
</div>
</div>
</div>
</body>
</html>