Improving system integration using a modular configuration specification language

Abstract. Developers invest much effort into validating configuration during startup of free/libre and open source software (FLOSS) applications. Nevertheless, hardly any tools exist to validate configuration files to detect misconfigurations earlier. This paper aims at understanding the challenges to provide better tools for configuration validation. We use mixed methodology: (1) We analyzed 2,683 run-time configuration accesses in the source-code of 16 applications comprising 50 million lines of code. (2) We conducted a questionnaire survey with 162 FLOSS contributors completing the survey. We report our experiences about building up a FLOSS community that tackles the issues by unifying configuration validation with an external configuration access specification.We discovered that information necessary for validation is often missing in the applications and FLOSS developers dislike dependencies on external packages for such validations.

show abstract

“…Elektra introduces specifications for configuration settings [24]. These specifications should also include documentation.…”

Section: Requirement 1 D : Floss Developers Demand a Way To Share Conmentioning

confidence: 99%

“…In particular frontend code generation avoids errors in configuration access [21,28]. Other work describes Elektra's specification language [22,24] and how applications participate without code modifications [25,26].…”

Section: Related Workmentioning

confidence: 99%

Challenges in Validating FLOSS Configuration

Raab

Barany

2017

Open Source Systems: Towards Robust Practices

Self Cite

View full text Add to dashboard Cite

show abstract

“…Raab et al [17][18][19] created the Elektra framework to validate the access to configuration values to detect misconfigurations as soon as possible. We tried to achieve the same with our a-priori verification process.…”

Section: Related Workmentioning

confidence: 99%

Automated implementation of windows-related security-configuration guides

Stöckle

Grobauer

Pretschner

2020

Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. The complexity of contemporary IT infrastructures, however, renders manual security hardening and maintenance a daunting task.In many organizations, security-configuration guides expressed in the SCAP (Security Content Automation Protocol) are used as a basis for hardening, but these guides by themselves provide no means for automatically implementing the required configurations.In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined.We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides. CCS CONCEPTS• Security and privacy → Software security engineering; Usability in security and privacy; • Software and its engineering → Software configuration management and version control systems.

show abstract

“…All these approaches require at least some context-specific design upfront the implementation. The specification language Elektra does not only improve context awareness, but fosters system integration (Raab, 2016b). Some approaches focus on deployment, but require decisions at design time (Lee et al, 2014).…”

Section: Related Workmentioning

confidence: 99%

Introducing Context Awareness in Unmodified, Context-unaware Software

Raab

Barany

2017

Proceedings of the 12th International Conference on Evaluation of Novel Approaches to Software Engineering

Self Cite

View full text Add to dashboard Cite

Abstract:Software tends to be highly configurable, but most applications are hardly context aware. For example, a web browser provides many settings to configure printers and proxies, but nevertheless it is unable to dynamically adapt to a new workplace. In this paper we aim to empirically demonstrate that by dynamic and automatic reconfiguration of unmodified software we can systematically introduce context awareness. In 16 real-world applications comprising 50 million lines of code we empirically investigate which of the 2,683 run-time configuration accesses (1) already take context into account, or (2) can be manipulated at run-time to do so. The results show that context awareness can be exploited far beyond the developers' initial intentions. Our tool Elektra dynamically intercepts the run-time configuration accesses and replaces them with a context aware implementation. Users only need to specify contexts and add context sensors to make use of this potential.

show abstract

Improving system integration using a modular configuration specification language

Cited by 6 publications

References 6 publications

Challenges in Validating FLOSS Configuration

Challenges in Validating FLOSS Configuration

Automated implementation of windows-related security-configuration guides

Introducing Context Awareness in Unmodified, Context-unaware Software

Contact Info

Product

Resources

About