TY - GEN
T1 - Better Safe Than Sorry! Automated Identification of Functionality-Breaking Security-Configuration Rules
AU - Stockle, Patrick
AU - Sammereier, Michael
AU - Grobauer, Bernd
AU - Pretschner, Alexander
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality.This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.
AB - Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality.This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.
KW - Configuration Management
KW - Software Security
KW - Software Testing
UR - http://www.scopus.com/inward/record.url?scp=85165975662&partnerID=8YFLogxK
U2 - 10.1109/AST58925.2023.00013
DO - 10.1109/AST58925.2023.00013
M3 - Conference contribution
AN - SCOPUS:85165975662
T3 - Proceedings - 2023 IEEE/ACM International Conference on Automation of Software Test, AST 2023
SP - 90
EP - 100
BT - Proceedings - 2023 IEEE/ACM International Conference on Automation of Software Test, AST 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 4th IEEE/ACM International Conference on Automation of Software Test, AST 2023
Y2 - 15 May 2023 through 16 May 2023
ER -