Practical fault detection in puppet programs

Sotiropoulos, Thodoris; Mitropoulos, Dimitris; Spinellis, Diomidis

doi:10.1145/3377811.3380384

Cited by 21 publications

(11 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Schwarz et al [24] picked smells from the catalog proposed by Sharma et al [26] and convert them into detection rules for Foodcritic, a static code analysis tool designed for Chef. Sotiropoulos et al [27] propose a tool for detecting faults regarding ordering violations and notifiers in Puppet scripts. Lepillet et al [10] propose Häyä, a tool that uses dataflow graph analysis to detect intra-update sniping vulnerabilities in CloudFormation templates.…”

Section: Related Workmentioning

confidence: 99%

“…Finally, some analysis tools for IaC use intermediate representations [6,25,27] to describe file-system manipulations done by IaC scripts. Shambaugh et al [25] translated IaC scripts to the intermediate representation by mapping types of resources to their filesystem operations.…”

Section: Related Workmentioning

confidence: 99%

“…Shambaugh et al [25] translated IaC scripts to the intermediate representation by mapping types of resources to their filesystem operations. Sotiropoulos et al [27] used system calls executed by each resource in a IaC script to automatically map the resources to the filesystem operations, which were represented in the intermediate language. To the best of our knowledge, our work is the first that translates scripts of different IaC technologies into an intermediate representation.…”

Section: Related Workmentioning

confidence: 99%

“…This challenge is about extending GLITCH to support more IaC technologies and to detect more vulnerabilities. For example, it would be interesting to extend GLITCH to support Terraform and to support the detection of faults regarding ordering violations [27] or intra-update sniping vulnerabilities [10].…”

Section: Practical Implications and Challengesmentioning

confidence: 99%

See 3 more Smart Citations

GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code

Saavedra¹,

Ferreira²

2022

Preprint

View full text Add to dashboard Cite

Infrastructure as Code (IaC) is the process of managing IT infrastructure via programmable configuration files (also called IaC scripts). Like other software artifacts, IaC scripts may contain security smells, which are coding patterns that can result in security weaknesses. Automated analysis tools to detect security smells in IaC scripts exist, but they focus on specific technologies such as Puppet, Ansible, or Chef. This means that when the detection of a new smell is implemented in one of the tools, it is not immediately available for the technologies supported by the other tools -the only option is to duplicate the effort.This paper presents GLITCH, a new technology-agnostic framework that enables automated polyglot smell detection by transforming IaC scripts into an intermediate representation, on which different security smell detectors can be defined. GLITCH currently supports the detection of nine different security smells in scripts written in Puppet, Ansible, or Chef. We compare GLITCH with state-of-the-art security smell detectors. The results obtained not only show that GLITCH can reduce the effort of writing security smell analyses for multiple IaC technologies, but also that it has higher precision and recall than the current state-of-the-art tools. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Practical Implications and Challengesmentioning

confidence: 99%

See 2 more Smart Citations

GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code

Saavedra¹,

Ferreira²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…A number of IaC-related works have published their evaluation datasets [3], [4], [8]- [10]. However, these datasets only contain a relatively low number of projects, and consist of mostly analysis results.…”

Section: Related Datasetsmentioning

confidence: 99%

Andromeda: A Dataset of Ansible Galaxy Roles and Their Evolution

Opdebeeck

Zerouali

Roover

2021

2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR)

View full text Add to dashboard Cite

Assessing Architecture Conformance to Coupling-Related Infrastructure-as-Code Best Practices: Metrics and Case Studies

Ntentos

Zdun

Soldani

et al. 2022

Software Architecture

View full text Add to dashboard Cite

Infrastructure as Code (IaC) is an IT practice that facilitates the management of the underlying infrastructure as software. It enables developers or operations teams to automatically manage, monitor, and provision resources rather than organize them manually. In many industries, this practice is widespread and has already been fully adopted. However, few studies provide techniques for evaluating architectural conformance in IaC deployments and, in particular, aspects such as loose coupling. This paper focuses on coupling-related patterns and practices such as deployment strategies and the structuring of IaC elements. Many best practices are documented in gray literature sources, such as practitioner books, blogs, and public repositories. Still, there are no approaches yet to automatically check conformance with such best practices. We propose an approach based on generic, technology-independent metrics tied to typical architectural design decisions for IaC-based practices in microservice deployments to support architecting in the context of continuous delivery practices. We present three case studies based on open-source microservice architectures to validate our approach.

show abstract

Practical fault detection in puppet programs

Cited by 21 publications

References 28 publications

GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code

GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code

Andromeda: A Dataset of Ansible Galaxy Roles and Their Evolution

Assessing Architecture Conformance to Coupling-Related Infrastructure-as-Code Best Practices: Metrics and Case Studies

Contact Info

Product

Resources

About