Software configurability opens the door to misconfiguration vulnerabilities, invalid settings that expose software weaknesses. Misconfiguration is one the top ten most critical security risks and the most common. This paper envisions a world without misconfiguration vulnerabilities through the use of automated reasoning techniques to infer and secure software configurations. Real-world software, however, often lacks an explicit specification of secure configurations, relying on hand-validation by users. Real-world systems comprise many individual highly-configurable software components, making the space of possible configurations for the whole system enormous. To realize our vision and overcome these challenges, we aim to create a rigorous definition of configuration specifications, use formal methods to mechanize the inference and generation of valid configurations, and develop algorithms to automatically secure against misconfiguration.

Paul Gazzillo is an Assistant Professor of Computer Science at University of Central Florida. He received his PhD from NYU and previously worked as a Post-Doc at Yale and a Research Scholar at Stevens Institute. His research aims to make it easier to develop safe and secure software, and it spans programming languages, security, software engineering, and systems. Projects include analysis of configurable systems, side-channel attack detection, and concurrent smart contracts. His work has been published in venues such as PLDI, ESEC/FSE, and ICSE and has been recognized with a SIGPLAN Research Highlight and an NSF CAREER award.