ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions
Authors: Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos and Aravind Machiry.
Venue: Proceedings of the USENIX Security Symposium
Abstract
Millions of software projects leverage automated workflows, like GitHub Actions, for performing common build and deploy tasks. While GitHub Actions have greatly improved the software build process for developers, they pose significant risks to the software supply chain by adding more dependencies and code complexity that may introduce security bugs. This paper presents ARGUS, the first static taint analysis system for identifying code injection vulnerabilities in GitHub Actions. We used ARGUS to perform a large-scale evaluation on 2,778,483 Workflows referencing 31,725 Actions and discovered critical code injection vulnerabilities in 4,307 Workflows and 80 Actions. We also directly compared ARGUS to two existing pattern-based GitHub Actions vulnerability scanners, demonstrating that our system exhibits a marked improvement in terms of vulnerability detection, with a discovery rate more than seven times (7x) higher than the state-of-the-art approaches. These results demonstrate that command injection vulnerabilities in the GitHub Actions ecosystem are not only pervasive but also require taint analysis to be detected.
Bibtex
@inproceedings{mkn+23, author = {Muralee, Siddharth and Koishybayev, Igibek and Nahapetyan, Aleksandr and Tystahl, Greg and Reaves, Brad and Bianchi, Antonio and Enck, William and Kapravelos, Alexandros and Machiry, Aravind}, booktitle = {Proceedings of the {USENIX} Security Symposium}, date = {2023-08}, title = {{ARGUS}: A Framework for Staged Static Taint Analysis of {GitHub} Workflows and Actions}, }