Projects per year
Abstract
Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work has therefore proposed static analyses that detect security smells in Infrastructure as Code files. However, they have so far remained at a shallow level, disregarding the control and data flow of the scripts under analysis, and may lack awareness of specific syntactic constructs. These limitations inhibit the quality of their results. To address these limitations, in this paper, we present GASEL, a novel security smell detector for the Ansible IaC language. It uses graph queries on program dependence graphs to detect 7 security smells. Our evaluation on an oracle of 243 real-world security smells and comparison against two state-of-the-art security smell detectors shows that awareness of syntax, control flow, and data flow enables our approach to substantially improve both precision and recall. We further question whether the additional effort required to develop and run such an approach is justified in practice. To this end, we investigate the prevalence of indirection through control and data flow in security smells across more than 15 000 Ansible scripts. We find that over 55% of security smells contain data-flow indirection, and over 32% require a whole-project analysis to detect. These findings motivate the need for deeper static analysis tools to detect security vulnerabilities in IaC.
Original language | English |
---|---|
Title of host publication | Proceedings of the 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR 2023) |
Publisher | IEEE |
Number of pages | 11 |
ISBN (Electronic) | 979-8-3503-1184-6 |
DOIs | |
Publication status | Published - 15 May 2023 |
Event | 20th International Conference on Mining Software Repositories - Melbourne Convention Exhibition Center, Melbourne, Australia Duration: 15 May 2023 → 16 May 2023 https://conf.researchr.org/home/msr-2023 |
Conference
Conference | 20th International Conference on Mining Software Repositories |
---|---|
Abbreviated title | MSR 2023 |
Country | Australia |
City | Melbourne |
Period | 15/05/23 → 16/05/23 |
Internet address |
Keywords
- Infrastructure as Code
- Ansible
- code smells
- security
- program dependence graph
- empirical study
Projects
- 2 Active
-
FWOSB103: Pattern Mining and Static Analysis for Detecting Defects in Infrastructure as Code
1/11/20 → 31/10/24
Project: Fundamental
-
VLAAI2: Subsidie Onderzoeksprogramma "Cybersecurity Initiative Flanders"
De Meuter, W., Devriese, D., Gonzalez Boix, E. & De Roover, C.
1/09/19 → 31/12/23
Project: Applied
Datasets
-
Replication package for "Control and Data Flow in Security Smell Detection for Infrastructure as Code: Is It Worth the Effort?"
Opdebeeck, R. (Creator), Zerouali, A. (Creator) & De Roover, C. (Supervisor), figshare, 15 Mar 2023
DOI: 10.6084/m9.figshare.21929856
Dataset
Activities
- 1 Talk or presentation at a conference
-
Control and Data Flow in Security Smell Detection for Infrastructure as Code: Is It Worth the Effort?
Ruben Opdebeeck (Speaker)
16 May 2023Activity: Talk or presentation › Talk or presentation at a conference
File