Information technology (IT) organizations manage infrastructure using configuration scripts. Configuration scripts help practitioners to accomplish a wide range of jobs, including cloud computing, scientific research, and large-scale data analytics. Even though configuration scripts enable scalable and rapid delivery of software, security weaknesses in configuration scripts, such as hard-coded passwords, can result in security and privacy problems such as data breaches. Current research of configuration script security is limited in finding types of problems that can be detected, preventing false positives, and enabling actionability—all of which prohibits practitioners to take actions on the identified security weaknesses, potentially leaving computing systems open to security attacks. The project aims to address these limitations. The project’s novelties are development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages, heavily used in industry. The project's impacts are related to securing the national cyber infrastructure, educating the next generation IT workforce on cybersecurity, and broadening of participation through recruitment of underrepresented communities.
The project will focus on the development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages heavily used in industry. Three main tasks will be investigated for this project. First, qualitative analysis is applied in order to determine a comprehensive list of security weaknesses for multiple configuration script languages, and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and machine learning techniques are applied, evaluated, and integrated into the derived static analysis so that false positives are reduced. Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses. Along with the three technical tasks, industry panels will be organized, where practitioners from industry will give feedback on the developed techniques and tools. Findings from the project will be disseminated to government, industry and open source practitioners, as well as to students who are learning about configuration management in graduate and undergraduate level courses related to cybersecurity. The project is expected to generate best practices for security code review, automated tools, and education materials essential to secure configuration script development. As a transition to practice (TTP) project, it will facilitate collaboration with industry practitioners, so that a comprehensive, holistic, practitioner-friendly security static analysis is achieved to secure configuration script development and management.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
