Enhancing configuration security with heterogeneous read points

Enhancing configuration security with heterogeneous read points

연구 분야: Verification

학회: Journal of Cloud Computing

Configuration files are widely used for customizing the status and behavior of cloud systems without modifying source code. The configurable system performs flexibly to meet different requirements. Several security risks come with the flexibility, since the configuration files are directly accessible to users. In this work, we propose config-flow analysis to locate suspicious usage and design three types of code-level heterogeneous operations to build security protection for related read points. The config-flow analysis can address the propagation of configuration options and further help to boost configuration security from read points to the end of usage sequence. For the three types of commonly used configuration files, i.e., key-value pairs, serialization data, and scripts, we evaluated the effectiveness of read point identification and heterogeneous operations on 14 open-source projects. The experimental results show that the overall precision of file and option read point identification is 97% and 96%, and our approach can ensure projects keep security against configuration-related vulnerabilities with acceptable performance loss.