Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based Infrastructure Management
Despite being beneficial for managing computing infrastructure automatically, Puppet manifests are susceptible to security weaknesses, e.g., hard-coded secrets and use of weak cryptography algorithms. Adequate mitigation of security weaknesses in Puppet manifests is thus necessary to secure computing infrastructure that are managed with Puppet manifests. A characterization of how security weaknesses propagate and affect Puppet-based infrastructure management, can inform practitioners on the relevance of the detected security weaknesses, as well as help them take necessary actions for mitigation. To that end, we conduct an empirical study with 17,629 Puppet manifests mined from 336 open source repositories. We construct Taint Tracker for Puppet Manifests (TaintPup), for which we observe 2.4 times more precision compared to that of a state-of-the-art security static analysis tool. TaintPup leverages Puppet-specific information flow analysis using which we characterize propagation of security weaknesses. From our empirical study, we observe security weaknesses to propagate into 4,457 resources, i.e, Puppet-specific code elements used to manage infrastructure. A single instance of a security weakness can propagate into as many as 35 distinct resources. We observe security weaknesses to propagate into 7 categories of resources, which include resources used to manage continuous integration servers and network controllers. According to our survey with 24 practitioners, propagation of security weaknesses into data storage-related resources is rated to have the most severe impact for Puppet-based infrastructure management.
Wed 17 AprDisplayed time zone: Lisbon change
16:00 - 17:30 | Security 2Research Track / Software Engineering in Practice / Journal-first Papers / New Ideas and Emerging Results at Grande Auditório Chair(s): Diomidis Spinellis Athens University of Economics and Business & Delft University of Technology | ||
16:00 15mTalk | PonziGuard: Detecting Ponzi Schemes on Ethereum with Contract Runtime Behavior Graph (CRBG) Research Track Ruichao Liang Wuhan University, Jing Chen Wuhan University, Kun He Wuhan University, Yueming Wu Nanyang Technological University, Gelei Deng Nanyang Technological University, Ruiying Du Wuhan University, Cong Wu The University of Hong Kong | ||
16:15 15mTalk | FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing Research Track Aniruddhan Murali University of Waterloo, Noble Saji Mathews University of Waterloo, Canada, Mahmoud Alfadel University of Waterloo, Mei Nagappan University of Waterloo, Meng Xu University of Waterloo DOI Pre-print | ||
16:30 15mTalk | LibvDiff: Library Version Difference Guided OSS Version Identification in Binaries Research Track Chaopeng Dong University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Siyuan Li University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, shouguo yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, Yang Xiao Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yongpan Wang University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Zhi Li Institute of Information Engineering, Chinese Academy of Sciences, China, Limin Sun Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, | ||
16:45 15mTalk | PrivacyCAT: Privacy-Aware Code Analysis at Scale Software Engineering in Practice Ke Mao Meta, Cons Ahs Meta, Sopot Cela Meta, Dino Distefano Meta, Nick Gardner Meta, Radu Grigore Meta, Per Gustafsson Meta, Ákos Hajdu Meta, Timotej Kapus Meta, Matteo Marescotti Meta, Gabriela Cunha Sampaio Meta, Thibault Suzanne Meta | ||
17:00 7mTalk | Software in the Manufacturing Industry: Emerging Security Challenge Areas for IIoT Platforms Software Engineering in Practice Yannick Landeck fortiss GmbH, Dian Balta fortiss GmbH, Martin Wimmer Siemens AG, Christian Knierim Siemens AG DOI | ||
17:07 7mTalk | Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based Infrastructure Management Journal-first Papers Link to publication DOI Pre-print | ||
17:14 7mTalk | Synthesis of Allowlists for Runtime Protection against SQLi New Ideas and Emerging Results Kostyantyn Vorobyov Oracle Labs, François Gauthier Oracle Labs, Paddy Krishnan Oracle Labs, Australia | ||