MSR 2023
Dates to be announced Melbourne, Australia
co-located with ICSE 2023
Tue 16 May 2023 13:57 - 14:09 at Meeting Room 110 - Software Quality Chair(s): Tushar Sharma

Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work has therefore proposed static analyses that detect security smells in Infrastructure as Code files. However, they have so far remained at a shallow level, disregarding the control and data flow of the scripts under analysis, and may lack awareness of specific syntactic constructs. These limitations inhibit the quality of their results. To address these limitations, in this paper, we present GASEL, a novel security smell detector for the Ansible IaC language. It uses graph queries on program dependence graphs to detect 7 security smells. Our evaluation on an oracle of 243 real-world security smells and comparison against two state-of-the-art security smell detectors shows that awareness of syntax, control flow, and data flow enables our approach to substantially improve both precision and recall. We further question whether the additional effort required to develop and run such an approach is justified in practice. To this end, we investigate the prevalence of indirection through control and data flow in security smells across more than 15 000 Ansible scripts. We find that over 55% of security smells contain data-flow indirection, and over 32% require a whole-project analysis to detect. These findings motivate the need for deeper static analysis tools to detect security vulnerabilities in IaC.

Tue 16 May

Displayed time zone: Hobart change

13:45 - 14:30
Software QualityData and Tool Showcase Track / Technical Papers at Meeting Room 110
Chair(s): Tushar Sharma Dalhousie University
13:45
12m
Talk
Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks
Technical Papers
Ahmed Zerouali Vrije Universiteit Brussel, Ruben Opdebeeck Vrije Universiteit Brussel, Coen De Roover Vrije Universiteit Brussel
Pre-print
13:57
12m
Talk
Control and Data Flow in Security Smell Detection for Infrastructure as Code: Is It Worth the Effort?
Technical Papers
Ruben Opdebeeck Vrije Universiteit Brussel, Ahmed Zerouali Vrije Universiteit Brussel, Coen De Roover Vrije Universiteit Brussel
Pre-print
14:09
12m
Talk
Method Chaining Redux: An Empirical Study of Method Chaining in Java, Kotlin, and Python
Technical Papers
Ali Keshk University of Nebraska-Lincoln, Robert Dyer University of Nebraska-Lincoln
Pre-print Media Attached
14:21
6m
Talk
Snapshot Testing Dataset
Data and Tool Showcase Track
Emily Bui Loyola University Maryland, Henrique Rocha Loyola University Maryland, USA