Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality. This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.
翻译:攻击者可以利用软件设置中的不安全默认值来损害软件运行系统。 作为一种反措施,存在安全配置指南,详细指明了哪些值是安全的。 然而,大多数管理员仍然不加强现有系统,因为如果应用安全设置,系统功能恐怕会恶化。 为了促进安全配置指南的应用,有必要确定限制功能的规则。 本条介绍了我们使用组合测试的方法,以找到规则与机器学习技术的有问题的组合,找出这些组合中存在问题的规则。 管理员然后只能应用无争议的规则,从而在不出现破坏功能的风险的情况下加强系统的安全。 为了证明我们的方法的效用,我们将其应用于从与西门子管理人的讨论中得出的现实世界问题,并在这些案例中发现了有问题的规则。 我们希望,这一方法及其开放源的实施能够激励更多的管理员加强他们的系统,从而增强他们的系统的一般安全。</s>