[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3324884.3416540acmconferencesArticle/Chapter ViewAbstractPublication PagesaseConference Proceedingsconference-collections
research-article

Automated implementation of windows-related security-configuration guides

Published: 27 January 2021 Publication History

Abstract

Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. The complexity of contemporary IT infrastructures, however, renders manual security hardening and maintenance a daunting task.
In many organizations, security-configuration guides expressed in the SCAP (Security Content Automation Protocol) are used as a basis for hardening, but these guides by themselves provide no means for automatically implementing the required configurations.
In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined.
We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides.

References

[1]
Steven Bird, Ewan Klein, and Edward Loper. 2009. Natural language processing with Python: analyzing text with the natural language toolkit. "O'Reilly Media, Inc.".
[2]
Henk Birkholz, Jarrett Lu, John Strassner, Nancy Cam-Winget, and Adam W. Montville. 2018. Security Automation and Continuous Monitoring (SACM) Terminology. Internet-Draft draft-ietf-sacm-terminology-16. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-sacm-terminology-16 Work in Progress.
[3]
Nancy Cam-Winget and Lisa Lorenzin. 2017. Security Automation and Continuous Monitoring (SACM) Requirements. RFC 8248.
[4]
CIS. 2019. CIS-CAT Pro. https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/
[5]
Andrea Continella, Mario Polino, Marcello Pogliani, and Stefano Zanero. 2018. There's a Hole in That Bucket!: A Large-scale Analysis of Misconfigured S3 Buckets. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC '18). ACM, New York, NY, USA, 702--711.
[6]
Constanze Dietrich, Katharina Krombholz, Kevin Borgolte, and Tobias Fiebig. 2018. Investigating System Operators' Perspective on Security Misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). ACM, New York, NY, USA, 1272--1289.
[7]
DISA. 2019. DISA Microsoft Windows Server 2016 STIG Benchmark. Available from https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2016_V1R13_STIG_SCAP_1-2_Benchmark.zip. Accessed: 2019-01-22, we used the version 7, current version is 13.
[8]
A. K. Jha, S. Lee, and W. J. Lee. 2017. Developer Mistakes in Writing Android Manifests: An Empirical Study of Configuration Errors. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). 25--36.
[9]
Dongpu Jin, Myra B. Cohen, Xiao Qu, and Brian Robinson. 2014. PrefFinder: Getting the Right Preference in Configurable Software Systems. In Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering (Vasteras, Sweden) (ASE '14). ACM, New York, NY, USA, 151--162.
[10]
L. Keller, P. Upadhyaya, and G. Candea. 2008. ConfErr: A tool for assessing resilience to human configuration errors. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN). 157--166.
[11]
Vladimir I Levenshtein. 1966. Binary codes capable of correcting deletions, insertions, and reversals. In Soviet physics doklady, Vol. 10. 707--710.
[12]
Microsoft Corporation. 2016. Local Group Policy Object Utility. https://www.microsoft.com/en-us/download/details.aspx?id=55319 Accessed: 2019-01-18.
[13]
Microsoft Corporation. 2017. Security policy settings. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/security-policy-settings
[14]
Adam W. Montville and Bill Munyan. 2018. Security Automation and Continuous Monitoring (SACM) Architecture. Internet-Draft draft-ietf-sacm-arch-00. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-sacm-arch-00 Work in Progress.
[15]
Rahul Pandita, Xusheng Xiao, Hao Zhong, Tao Xie, Stephen Oney, and Amit Paradkar. 2012. Inferring Method Specifications from Natural Language API Descriptions. In Proceedings of the 34th International Conference on Software Engineering (Zurich, Switzerland) (ICSE '12). IEEE Press, Piscataway, NJ, USA, 815--825. http://dl.acm.org/citation.cfm?id=2337223.2337319
[16]
Martin Preisler and Marek Haicman. 2018. Security Automation for Containers and VMs with OpenSCAP. In USENIX LISA. Washington. Available from https://martin.preisler.me/...
[17]
Markus Raab. 2015. Safe Management of Software Configuration. In Proceedings of the CAiSE'2015 Doctoral Consortium at the 27th International Conference on Advanced Information Systems Engineering (CAiSE 2015), Stockholm, Sweden, June 11--12, 2015. 74--82. http://ceur-ws.org/Vol-1415/CAISE2015DC09.pdf
[18]
Markus Raab. 2016. Improving system integration using a modular configuration specification language. In Companion Proceedings of the 15th International Conference on Modularity, Málaga, Spain, March 14 - 18, 2016. 152--157.
[19]
Markus Raab and Gergö Barany. 2017. Challenges in Validating FLOSS Configuration. In Open Source Systems: Towards Robust Practices - 13th IFIP WG 2.13 International Conference, OSS 2017, Buenos Aires, Argentina, May 22--23, 2017, Proceedings. 101--114.
[20]
A. Rabkin and R. Katz. 2011. Static extraction of program configuration options. In 2011 33rd International Conference on Software Engineering (ICSE). 131--140.
[21]
Akond Rahman, Chris Parnin, and Laurie Williams. 2019. The Seven Sins: Security Smells in Infrastructure As Code Scripts. In Proceedings of the 41st International Conference on Software Engineering (Montreal, Quebec, Canada) (ICSE '19). IEEE Press, Piscataway, NJ, USA, 164--175.
[22]
Red Hat, Inc. 2010. OpenSCAP. https://www.open-scap.org. Accessed: 2018-12-18.
[23]
SaltStack, Inc. 2011. SaltStack. https://github.com/saltstack/salt Accessed: 2019-01-07.
[24]
Mark Santolucito, Ennan Zhai, Rahul Dhodapkar, Aaron Shim, and Ruzica Piskac. 2017. Synthesizing Configuration File Specifications with Association Rule Learning. Proc. ACM Program. Lang. 1, OOPSLA, Article 64 (Oct. 2017), 20 pages.
[25]
M. Sayagh and A. E. Hassan. 2020. ConfigMiner: Identifying the Appropriate Configuration Options for Config-related User Questions by Mining Online Forums. IEEE Transactions on Software Engineering (2020), 1--1.
[26]
Patrick Stöckle, Bernd Grobauer, and Alexander Pretschner. 2020. Repository to demonstrate the steps of the automated hardening process. https://github.com/tum-i22/disa-windows-server-2016 swh:1:dir:c3803619f51702199b19405547e2be2f2f55bdd2.
[27]
Patrick Stöckle, Bernd Grobauer, and Alexander Pretschner. 2020. Repository with the check results for CIS guides before and after implementing the guides. https://github.com/tum-i22/CIS-Benchmark-Evaluation swh:1:dir:b5c15f48b2c288f58533c9354bea3703ffbbb0dd.
[28]
Patrick Stöckle, Bernd Grobauer, and Alexander Pretschner. 2020. Updated version of the step repository with Windows Server 2019. https://github.com/tum-i22/disa-windows-server-2019 swh:1:dir:13ffd9d2566c64afdedd414336a95a35605392d7.
[29]
Ya-Yunn Su, Mona Attariyan, and Jason Flinn. 2007. AutoBash: Improving Configuration Management with Operating System Causality Analysis. SIGOPS Oper. Syst. Rev. 41, 6 (Oct. 2007), 237--250.
[30]
Lin Tan, Ding Yuan, Gopal Krishna, and Yuanyuan Zhou. 2007. /*Icomment: Bugs or Bad Comments?*/. SIGOPS Oper. Syst. Rev. 41, 6 (Oct. 2007), 145--158.
[31]
Chunqiang Tang, Thawan Kooburat, Pradeep Venkatachalam, Akshay Chander, Zhe Wen, Aravind Narayanan, Patrick Dowell, and Robert Karl. 2015. Holistic Configuration Management at Facebook. In Proceedings of the 25th Symposium on Operating Systems Principles (Monterey, California) (SOSP '15). ACM, New York, NY, USA, 328--343.
[32]
David Waltermire and Jessica Fitzgerald-McKay. 2018. Transitioning to the Security Content Automation Protocol (SCAP) Version 2. Technical Report. NIST. Available from https://csrc.nist.gov/publications/detail/white-paper/2018/09/10/transitioning-to-scap-version-2/final.
[33]
Rui Wang, XiaoFeng Wang, Kehuan Zhang, and Zhuowei Li. 2008. Towards Automatic Reverse Engineering of Software Security Configurations. In Proceedings of the 15th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS '08). ACM, New York, NY, USA, 245--256.
[34]
Edmund Wong, Lei Zhang, Song Wang, Taiyue Liu, and Lin Tan. 2015. DASE: Document-assisted Symbolic Execution for Improving Automated Software Testing. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (Florence, Italy) (ICSE '15). IEEE Press, Piscataway, NJ, USA, 620--631. http://dl.acm.org/citation.cfm?id=2818754.2818831
[35]
Tianyin Xu, Long Jin, Xuepeng Fan, Yuanyuan Zhou, Shankar Pasupathy, and Rukma Talwadker. 2015. Hey, You Have Given Me Too Many Knobs!: Understanding and Dealing with Over-designed Configuration in System Software. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (Bergamo, Italy) (ESEC/FSE 2015). ACM, New York, NY, USA, 307--319.
[36]
Tianyin Xu, Xinxin Jin, Peng Huang, Yuanyuan Zhou, Shan Lu, Long Jin, and Shankar Pasupathy. 2016. Early Detection of Configuration Errors to Reduce Failure Damage. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 619--634. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/xu
[37]
Tianyin Xu, Jiaqi Zhang, Peng Huang, Jing Zheng, Tianwei Sheng, Ding Yuan, Yuanyuan Zhou, and Shankar Pasupathy. 2013. Do Not Blame Users for Misconfigurations. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (Farminton, Pennsylvania) (SOSP '13). ACM, New York, NY, USA, 244--259.
[38]
Tianyin Xu and Yuanyuan Zhou. 2015. Systems Approaches to Tackling Configuration Errors: A Survey. ACM Comput. Surv. 47, 4, Article 70 (July 2015), 41 pages.
[39]
J. Yang, E. Wittern, A. T. T. Ying, J. Dolby, and L. Tan. 2018. Towards Extracting Web API Specifications from Documentation. In 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR). 454--464.
[40]
Zuoning Yin, Xiao Ma, Jing Zheng, Yuanyuan Zhou, Lakshmi N. Bairavasundaram, and Shankar Pasupathy. 2011. An Empirical Study on Configuration Errors in Commercial and Open Source Systems. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (Cascais, Portugal) (SOSP '11). ACM, New York, NY, USA, 159--172.
[41]
Hao Zhong, Lu Zhang, Tao Xie, and Hong Mei. 2011. Inferring specifications for resources from natural language API documentation. Automated Software Engineering 18, 3 (01 Dec 2011), 227--261.

Cited By

View all
  • (2023)Better Safe Than Sorry! Automated Identification of Functionality-Breaking Security-Configuration Rules2023 IEEE/ACM International Conference on Automation of Software Test (AST)10.1109/AST58925.2023.00013(90-100)Online publication date: May-2023
  • (2022)Automated Identification of Security-Relevant Configuration Settings Using NLPProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3559499(1-5)Online publication date: 10-Oct-2022
  • (2022)Hardening with ScapoliteProceedings of the Twelfth ACM Conference on Data and Application Security and Privacy10.1145/3508398.3511525(137-142)Online publication date: 14-Apr-2022

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering
December 2020
1449 pages
ISBN:9781450367684
DOI:10.1145/3324884
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 January 2021

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

ASE '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)98
  • Downloads (Last 6 weeks)18
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2023)Better Safe Than Sorry! Automated Identification of Functionality-Breaking Security-Configuration Rules2023 IEEE/ACM International Conference on Automation of Software Test (AST)10.1109/AST58925.2023.00013(90-100)Online publication date: May-2023
  • (2022)Automated Identification of Security-Relevant Configuration Settings Using NLPProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3559499(1-5)Online publication date: 10-Oct-2022
  • (2022)Hardening with ScapoliteProceedings of the Twelfth ACM Conference on Data and Application Security and Privacy10.1145/3508398.3511525(137-142)Online publication date: 14-Apr-2022

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media