Automatic mapping of configuration options in software using static analysis

Junyong Wang, Thar Baker, Yingnan Zhou, Ali Ismail Awad, Bin Wang, Yongsheng Zhu

Research output: Contribution to journalArticlepeer-review

Abstract

Configuration errors are some of the main reasons for software failures. Some configuration options may even negatively impact the software's security, so that if a user sets the options inappropriately, there may be a huge security risk for the software. Recent studies have proposed mapping option read points to configuration options as the first step in alleviating the occurrence of configuration errors. Sadly, most available techniques use humans, and the rest require additional input, like an operation manual. Unfortunately, not all software is standardized and friendly. We propose a technique based on program and static analysis that can automatically map all the configuration options of a program just by reading the source code. Our evaluation shows that this technique achieves 88.6%, 97.7%, 94.6%, 94.8%, and 92.6% success rates with the Hadoop modules Common, Hadoop distributed file system, MapReduce, and YARN, and also PX4, when extracting configuration options. We found 53 configuration options in PX4 that were not documented and submitted these to the developers. Compared with published work, our technique is more effective in mapping options, and it may lay the foundation for subsequent research on software configuration security.

Original languageEnglish
Pages (from-to)10044-10055
Number of pages12
JournalJournal of King Saud University - Computer and Information Sciences
Volume34
Issue number10 - Part B
DOIs
Publication statusPublished - 12 Oct 2022

Bibliographical note

Funding Information:
This work was by the National Key R&D Program of China, under Grant 2020YFB1005604, in part by the National Natural Science Foundation of China, under grant U21A20463, and in part by the Fundamental Research Funds for the Central Universities of China under Grant KKJB320001536.

Keywords

  • Configuration error
  • Configuration option
  • Option read point
  • Program analysis
  • Software security
  • Static analysis

Cite this