research
DoNotBlameUsersforMisconfigurations
- Publication date
- Publisher
Abstract
Similar to software bugs, configuration errors are also oneofthemajorcausesoftoday’ssystemfailures. Many configuration issues manifest themselves in ways similar to software bugs such as crashes, hangs, silent failures. It leaves users clueless and forced to report to developers for technical support, wasting not only users’ but also developers ’ precious time and effort. Unfortunately, unlike software bugs, many software developers takeamuchlessactive,responsibleroleinhandlingconfigurationerrorsbecause“theyareusers’faults.” This paper advocatesthe importancefor software developers to take an active role in handling misconfigurations. It also makes a concrete first step towards this goalbyprovidingtoolingsupporttohelpdevelopersimprove their configuration design, and harden their systems againstconfigurationerrors. Specifically,we build a tool, called SPEX, to automaticallyinferconfiguration requirements (referred to as constraints) from software sourcecode,andthenusetheinferredconstraintsto: (1) exposemisconfigurationvulnerabilities(i.e.,badsystem reactionsto configurationerrorssuch as crashes, hangs, silent failures); and (2) detect certain types of errorproneconfigurationdesignandhandling. We evaluate SPEX with one commercial storage system and six open-source server applications. SPEX automatically infers a total of 3800 constraints for more than2500configurationparameters. Basedontheseconstraints, SPEX further detects 743 various misconfiguration vulnerabilities and at least 112 error-prone constraints in the latest versions of the evaluated systems. To this day,364vulnerabilitiesand 80inconsistentcon-Permissiontomakedigitalorhardcopies ofpartorallofthis workfor personal or classroom use is granted without fee provided that copies arenotmadeordistributed forprofitorcommercialadvantage andthat copiesbearthisnoticeandthefullcitationonthefirstpage. Copyrights forthird-party components ofthisworkmustbehonored. Forallother uses, contact the Owner/Author. Copyright is held by the Owner/Author(s)
