CACLE - Automated Mitigation for Misconfiguration Vulnerabilities in Cloud Systems
Pages 74 - 80
Abstract
Recent studies have highlighted the increasing risk to Cloud Systems of User Misconfiguration Errors. This paper provides an evolutionary approach to identifying and mitigating such errors, known as the Configuration and Checking Logic Engine. We demonstrate its effectiveness utilizing test files from publicly available GitHub repositories. The results show that not only is it as effective as other solutions that check IaC templates, but it is also an order of magnitude faster than existing approaches.
References
[1]
G. Alvarenga. What is Shift Left Security. Jan. 2022. https://www.crowdstrike.com/cybersecurity-101/shift-left-security/.
[2]
D. M. Berry. “Formal methods: The very idea - Some thoughts about why they work when they work”. In: Science of Computer Programming 42.1 (Jan. 2002), pp. 11–27.
[3]
J. Guffey and Y. Li. “Cloud Service Misconfigurations: Emerging Threats, Enterprise Data Breaches and Solutions”. In: 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, Mar. 2023, pp. 0806–0812.: https://ieeexplore.ieee.org/document/ 10099296/.
[4]
M. Guerriero “Adoption, Support, and Challenges of Infrastructure-as-Code: Insights from Industry”. In: 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, Sept. 2019, pp. 580–589. : https://ieeexplore.ieee.org/document/8919181/.
[5]
A. Rahman, R. Mahdavi-Hezaveh, and L. Williams. “A systematic mapping study of infrastructure as code research”. In: Information and Software Technology 108 (Apr. 2019), pp. 65–77.: https://linkinghub.elsevier.com/retrieve/pii/S0950584918302507.
[6]
C. A. Cois, J. Yankel, and A. Connell. “Modern DevOps: Optimizing software development through effective system interactions”. In: 2014 IEEE International Professional Communication Conference (IPCC). IEEE, Oct. 2014, pp. 1–7.: https://ieeexplore.ieee.org/document/7020388/.
[7]
Y. Zhang “An Evolutionary Study of Configuration Design and Implementation in Cloud Systems”. In: (Feb. 2021). http://arxiv.org/abs/ 2102.07052.
[8]
J. Carrasco “Bidimensional Cross-Cloud Management with TOSCA and Brooklyn”. In: 2016 IEEE 9th International Conference on Cloud Computing (CLOUD). IEEE, June 2016, pp. 951–955. http://ieeexplore.ieee.org/document/7820380/.
[9]
B. Varghese. History of the cloud. Mar. 2019.: https://www.bcs.org/articles-opinion-and-research/history-of-the-cloud/.
[10]
A. Brogi, A. Di Tommaso, and J. Soldani. “Validating TOSCA application topologies”. In: MODELSWARD 2017 - Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development. Vol. 2017-January. SciTePress, 2017, pp. 667–678.
[11]
I. Kwan and D. M. Berry. Specify First or Build First? Empirical Studies of Requirements Engineering Activities: A Survey. Tech. rep. Waterloo: University of Waterloo, 2009.
[12]
L. Lamport. “Real-Time Model Checking is Really Simple”. In: Microsoft Research (2005).
[13]
L. Lamport. “How to Write a 21 st Century Proof”. In: ().
[14]
C. Solis, X. Wang, and C. Solís. A study of the characteristics of behaviour driven development A study of the characteristics of behaviour driven development A Study of the Characteristics of Behaviour Driven Development. Tech. rep. 2011, pp. 383–387.: https://hdl.handle.net/10344/1256.
[15]
D. P. Acharya. 5 Tools to Scan Infrastructure as Code for Vulnerabilities. 2023.: https://geekflare.com/iac-security-scanner/.
[16]
P. Feiler “Four Pillars for Improving the Quality of Safety-Critical Software-Reliant Systems”. In: SEI-CMU (2013), pp. 1–17. : www.sei. cmu.edu.
[17]
M. Chiodi. Cloud Threat Report: Putting the Sec in DevOps. Tech. rep. Santa Clara: Unit 42, Apr. 2020.
[18]
Q. Zhang “Automated Runtime Mitigation for Misconfiguration Vulnerabilities in Industrial Control Systems”. In: 25th International Symposium on Research in Attacks, Intrusions and Defenses. New York, NY, USA: ACM, Oct. 2022, pp. 333–349. : https://dl.acm.org/doi/10.1145/ 3545948.3545954.
[19]
N. Petrovic, M. Cankar, and A. Luzar. “Automated Approach to IaC Code Inspection Using Python-Based DevSecOps Tool”. In: 2022 30th Telecommunications Forum, TELFOR 2022 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2022.
[20]
A. Brogi, J. Soldani, and P. W. Wang. “TOSCA in a nutshell: Promises and perspectives”. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 8745 LNCS. Springer Verlag, 2014, pp. 171–186.
[21]
U. D. Ani, H. He, and A. Tiwari. “Vulnerability-Based Impact Criticality Estimation for Industrial Control Systems”. In: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). IEEE, June 2020, pp. 1–8. : https://ieeexplore.ieee.org/document/9138886/.
[22]
M. Bowker and B. Laliberte. Strategies for optimizing on-premises and public cloud infrastructure. ESG, 2020.
[23]
V. Roussev, P. Dewan, and V. Jain. “Composable collaboration infrastructures based on programming patterns”. In: Proceedings of the 2000 ACM conference on Computer supported cooperative work. New York, NY, USA: ACM, Dec. 2000, pp. 117–126. : https://dl.acm.org/doi/10.1145/ 358916.358982.
[24]
M. Compastié “A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds”. In: IEEE Conference on Network Softwarisation. 2019, pp. 151–159. https://hal.archives-ouvertes.fr/hal-02271520.
[25]
S. Choudhuri. “A Case for Unikernels in IoT: Enhancing Security and Performance”. In: Internet of Things: Enabling Technologies, Security and Social Implications. Springer, Singapore, 2021, pp. 85–91. http://link.springer.com/10.1007/978-981-15-8621-7_7.
[26]
P. J. Landin. “The Mechanical Evaluation of Expressions”. In: The Computer Journal 6.4 (Jan. 1964), pp. 308–320. https://academic.oup.com/ comjnl/article-lookup/doi/10.1093/comjnl/6.4.308.
[27]
J. Mclean. Security Models. Tech. rep. 1994, pp. 1136–1145. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.34.8561&rep=rep1& type=pdf.
[28]
T. Birchard. Extract Nested Data From Complex JSON. Oct. 2018. https://hackersandslackers.com/extract-data-from-complex-json-python/.
[29]
M. R. Mufid “Design an MVC Model using Python for Flask Framework Development”. In: 2019 International Electronics Symposium (IES). IEEE, Sept. 2019, pp. 214–219. https://ieeexplore.ieee.org/document/8901656/.
[30]
J. DesLauriers “Cloud apps to-go: Cloud portability with TOSCA and MiCADO”. In: Concurrency and Computation: Practice and Experience
[31]
33.19 (Oct. 2021). https://onlinelibrary.wiley.com/doi/10.1002/cpe.6093.
[32]
Anon. Top 200 Most Common Password List. 2022. https://nordpass.com/most-common-passwords-list/.
[33]
R. Rubio. “Maude as a Library: An Efficient All-Purpose Programming Interface”. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 13252 LNCS (2022), pp. 274–294. https://link.springer.com/chapter/10.1007/ 978-3-031-12441-9_14.
Index Terms
- CACLE - Automated Mitigation for Misconfiguration Vulnerabilities in Cloud Systems
Recommendations
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Automated Runtime Mitigation for Misconfiguration Vulnerabilities in Industrial Control Systems
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and DefensesCyber-physical industrial control systems (ICS) commonly implement configuration parameters that can be remotely tuned by human-machine interfaces (HMI) at runtime. These parameters directly control the behaviors of ICSs thus they can be exploited by ...
Comments
Information & Contributors
Information
Published In
August 2023
101 pages
ISBN:9798400707339
DOI:10.1145/3616131
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ICCBDC 2023
ICCBDC 2023: 2023 7th International Conference on Cloud and Big Data Computing
August 17 - 19, 2023
Manchester, United Kingdom
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 282Total Downloads
- Downloads (Last 12 months)209
- Downloads (Last 6 weeks)14
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in