An Empirical Study of Task Infections in Ansible Scripts (FSE 2024 - Journal First)

Mon 15 - Fri 19 July 2024 Porto de Galinhas, Brazil, Brazil

Who

Akond Rahman, Dibyendu Brinto Bose, Yue Zhang, Rahul Pandita

Track

FSE 2024 Journal First

Time Zone

The program is currently displayed in (GMT-03:00) Brasilia, Distrito Federal, Brazil.

Use conference time zone: (GMT-03:00) Brasilia, Distrito Federal, BrazilSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 18 Jul 2024 15:12 - 15:30 at Acerola - Empirical Studies 3 Chair(s): Shane McIntosh

Abstract

Context: Despite being beneficial for managing computing infrastructure at scale, Ansible scripts include security weaknesses, such as hard-coded passwords. Security weaknesses can propagate into tasks, i.e., code constructs used for managing computing infrastructure with Ansible. Propagation of security weaknesses into tasks makes the provisioned infrastructure susceptible to security attacks. A systematic characterization of task infection, i.e., the propagation of security weaknesses into tasks, can aid practitioners and researchers in understanding how security weaknesses propagate into tasks and derive insights for practitioners to develop Ansible scripts securely.

Objective: The goal of the paper is to help practitioners and researchers understand how Ansible-managed computing infrastructure is impacted by security weaknesses by conducting an empirical study of task infections in Ansible scripts.

Methodology: We conduct an empirical study where we quantify the frequency of task infections in Ansible scripts. Upon detection of task infections, we apply qualitative analysis to determine task infection categories. We also conduct a survey with 23 practitioners to determine the prevalence and severity of identified task infection categories. With logistic regression analysis, we identify development factors that correlate with presence of task infections.

Results: In all, we identify 1,805 task infections in 27,213 scripts. We identify six task infection categories: anti-virus, continuous integration, data storage, message broker, networking, and virtualization. From our survey, we observe tasks used to manage data storage infrastructure perceived to have the most severe consequences. We also find three development factors, namely age, minor contributors, and scatteredness to correlate with the presence of task infections.

Conclusion: Our empirical study shows computing infrastructure managed by Ansible scripts to be impacted by security weaknesses. We conclude the paper by discussing the implications of our findings for practitioners and researchers.

Link to Publication

https://link.springer.com/article/10.1007/s10664-023-10432-6

Link to Preprint

https://akondrahman.github.io/files/papers/emse2024-tidal.pdf

Authorizer Link

https://dl.acm.org/doi/abs/10.1007/s10664-023-10432-6

Akond Rahman

Auburn University

United States

Dibyendu Brinto Bose

Graduate Student

United States

Yue Zhang

Auburn University

United States

Rahul Pandita

GitHub, Inc.

United States

Time Zone

The program is currently displayed in (GMT-03:00) Brasilia, Distrito Federal, Brazil.

Use conference time zone: (GMT-03:00) Brasilia, Distrito Federal, BrazilSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 18 Jul
Displayed time zone: Brasilia, Distrito Federal, Brazil change

14:00 - 15:30	Empirical Studies 3Research Papers / Journal First at Acerola Chair(s): Shane McIntosh University of Waterloo

14:00 18m Talk		Understanding the Impact of APIs Behavioral Breaking Changes on Client Applications Research Papers Dhanushka Jayasuriya University of Auckland, Valerio Terragni University of Auckland, Jens Dietrich Victoria University of Wellington, Kelly Blincoe University of Auckland
14:18 18m Talk		Analyzing the BizDev Interface in an Enterprise Context: A Case of Developers Acting in Business Journal First Breno de França UNICAMP, Caique Moreira Instituto de Computação - Universidade Estadual de Campinas, Tayana Conte Universidade Federal do Amazonas Link to publication DOI File Attached
14:36 18m Talk		Silent Bugs in Deep Learning Frameworks: An Empirical Study of Keras and TensorFlow Journal First Florian Tambon Polytechnique Montréal, Amin Nikanjam École Polytechnique de Montréal, Le An Polytechnique Montreal, Foutse Khomh Polytechnique Montréal, Giuliano Antoniol Polytechnique Montréal Link to publication DOI Authorizer link
14:54 18m Talk		AROMA: Automatic Reproduction of Maven Artifacts Research Papers Mehdi Keshani Delft University of Technology, Tudor-Gabriel Velican Delft University of Technology, Gideon Bot Delft University of Technology, Sebastian Proksch Delft University of Technology
15:12 18m Talk		An Empirical Study of Task Infections in Ansible Scripts Journal First Akond Rahman Auburn University, Dibyendu Brinto Bose Graduate Student, Yue Zhang Auburn University, Rahul Pandita GitHub, Inc. Link to publication Authorizer link Pre-print