Posse: Securing Open-Source Software Ecosystem
Advisor:
Description:
The high-level goal of the team is to secure an open-source software ecosystem using state-of-the-art tools and techniques. There are three main thrusts (i.e., groups) in this project:
Static Vulnerability Analysis:
Here, we focus on finding vulnerabilities using existing static analysis tools (i.e., scanners). Use existing scanners (CodeQL, alpha-omega analyzer) to find vulnerabilities in open-source projects. We may need to modify or customize existing tools to customize for each project.
Recommended Skills: Solid understanding of Security vulnerabilities and ability to work with open-source tools.
CI Best practices and hardening:
We focus on adding security hardening features into CI workflows in this thrust. Specifically, we will focus on adding vulnerability scanners, fuzzers, compiler hardening (stack overflow protection, RELRO, and other checksec type protections) to CI workflows.
We will also look into CI workflows and make sure that they follow best practices, i.e., minimal permissions for github tokens, using github actions by their commit tag, etc.
Recommended Skills:
Experience with GitHub Workflows, scripting, background in source control (pull requests, commits, issues, etc).
Relevant Technologies:
- Computer Security
- Vulnerability Detection
- Program Analysis.
Prerequisite Knowledge/Skills:
- Programming Experitise in C/C++, Scripting, Python, Automation, GitHub
Meeting time:
Mondays, 5:00 - 6:00 PM