GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as CodeVirtual
Infrastructure as Code (IaC) is the process of managing IT infrastructure via programmable configuration files (also called IaC scripts). Like other software artefacts, IaC scripts may contain security smells, which are coding patterns that can result in security weaknesses. Automated analysis tools to detect security smells in IaC scripts exist, but they focus on specific technologies such as Puppet, Ansible, or Chef. This means that when the detection of a new smell is implemented in one of the tools, it is not immediately available for the technologies supported by the other tools — the only option is to duplicate the effort.
This paper presents GLITCH, a new technology-agnostic framework that enables automated polyglot smell detection by transforming IaC scripts into an intermediate representation, on which different security smell detectors can be defined. GLITCH currently supports the detection of nine different security smells in scripts written in Puppet, Ansible, or Chef. We compare GLITCH with state-of-the-art security smell detectors. The results obtained not only show that GLITCH can reduce the effort of writing security smell analyses for multiple IaC technologies, but also that it has higher precision and recall than the current state-of-the-art tools.
Wed 12 OctDisplayed time zone: Eastern Time (US & Canada) change
13:30 - 15:30 | Technical Session 16 - Software VulnerabilitiesResearch Papers / Journal-first Papers at Gold A Chair(s): Mohamed Wiem Mkaouer Rochester Institute of Technology | ||
13:30 20mResearch paper | Data Leakage in Notebooks: Static Detection and Better Processes Research Papers Chenyang Yang , Rachel A Brower-Sinning Carnegie Mellon Software Engineering Institute, Grace Lewis Carnegie Mellon Software Engineering Institute, Christian Kästner Carnegie Mellon University | ||
13:50 20mResearch paper | GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as CodeVirtual Research Papers Nuno Saavedra INESC-ID and IST, University of Lisbon, João F. Ferreira INESC-ID and IST, University of Lisbon Pre-print | ||
14:10 20mPaper | SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-Flow AnalysisVirtual Journal-first Papers Mohan Cui Fudan University, Chengjun Chen Fudan University, Hui Xu Fudan University, Yangfan Zhou Fudan University | ||
14:30 20mResearch paper | Precise (Un)Affected Version Analysis for Web VulnerabilitiesVirtual Research Papers ShiYoukun Fudan University, Yuan Zhang Fudan University, Tianhan Luo Fudan University, Xiangyu Mao Fudan University, Min Yang Fudan University | ||
14:50 20mResearch paper | Leveraging Practitioners' Feedback to Improve a Security LinterVirtual Research Papers Sofia Reis Instituto Superior Técnico, U. Lisboa & INESC-ID, Rui Abreu Faculty of Engineering, University of Porto, Portugal, Marcelo d'Amorim Federal University of Pernambuco, Daniel Fortunato INESC-ID, University of Porto | ||
15:10 20mResearch paper | Insight: Exploring Cross-Ecosystem Vulnerability ImpactsVirtual Research Papers Meiqiu Xu Northeastern University, China, Ying Wang Northeastern University, China, Shing-Chi Cheung Hong Kong University of Science and Technology, Hai Yu Northeastern University, China, Zhiliang Zhu Northeastern University, China | ||