Inferring and Securing Software Configurations using Automated Reasoning
Software configurability opens the door to misconfiguration vulnerabilities, invalid settings that expose software weaknesses. Misconfiguration is one the top ten most critical security risks and the most common. This paper envisions a world without misconfiguration vulnerabilities through the use of automated reasoning techniques to infer and secure software configurations. Real-world software, however, often lacks an explicit specification of secure configurations, relying on hand-validation by users. Real-world systems comprise many individual highly-configurable software components, making the space of possible configurations for the whole system enormous. To realize our vision and overcome these challenges, we aim to create a rigorous definition of configuration specifications, use formal methods to mechanize the inference and generation of valid configurations, and develop algorithms to automatically secure against misconfiguration.
Paul Gazzillo is an Assistant Professor of Computer Science at University of Central Florida. He received his PhD from NYU and previously worked as a Post-Doc at Yale and a Research Scholar at Stevens Institute. His research aims to make it easier to develop safe and secure software, and it spans programming languages, security, software engineering, and systems. Projects include analysis of configurable systems, side-channel attack detection, and concurrent smart contracts. His work has been published in venues such as PLDI, ESEC/FSE, and ICSE and has been recognized with a SIGPLAN Research Highlight and an NSF CAREER award.
Tue 10 Nov Times are displayed in time zone: (UTC) Coordinated Universal Time change
17:00 - 17:30: ConfigurationPaper Presentations / Research Papers / Visions and Reflections at Virtual room 1 | |||
17:00 - 17:02 Talk | Configuration Smells in Continuous Delivery Pipelines: A Linter and a Six-Month Study on GitLab Research Papers Carmine VassalloUniversity of Zurich, Switzerland, Sebastian ProkschDelft University of Technology, Netherlands, Anna JancsoUniversity of Zurich, Switzerland, Harald GallUniversity of Zurich, Switzerland, Massimiliano Di PentaUniversity of Sannio, Italy DOI Pre-print | ||
17:03 - 17:04 Talk | Dimensions of Software Configuration: On the Configuration Context in Modern Software Development Research Papers Norbert SiegmundLeipzig University, Nicolai RuckelBauhaus-University Weimar, Janet SiegmundTU Chemnitz, Germany DOI | ||
17:05 - 17:06 Talk | Global Cost/Quality Management across Multiple Applications Research Papers Liu LiuRutgers University, USA, Sibren IsaacmanLoyola University Maryland, USA, Uli KremerRutgers University, USA DOI | ||
17:07 - 17:08 Talk | Inferring and Securing Software Configurations using Automated Reasoning Visions and Reflections Paul GazzilloUniversity of Central Florida DOI | ||
17:09 - 17:10 Talk | Understanding and Discovering Software Configuration Dependencies in Cloud and Datacenter Systems Research Papers Qingrong ChenUniversity of Illinois at Urbana-Champaign, USA, Teng WangNational University of Defense Technology, China, Owolabi LegunsenCornell University, Shanshan LiNational University of Defense Technology, China, Tianyin XuUniversity of Illinois at Urbana-Champaign, USA DOI | ||
17:11 - 17:30 Talk | Conversations on Configuration Paper Presentations Carmine VassalloUniversity of Zurich, Switzerland, Liu LiuRutgers University, Nicolai RuckelBauhaus-University Weimar, Paul GazzilloUniversity of Central Florida, Qingrong ChenUniversity of Illinois at Urbana-Champaign, USA, M: Sarah NadiUniversity of Alberta |