Enhancing configuration security with heterogeneous read points

Configuration files are widely used for customizing the status and behavior of cloud systems without modifying source code. The configurable system performs flexibly to meet different requirements. Several security risks come with the flexibility, since the configuration files are directly accessibl...

Full description

Saved in:
Bibliographic Details
Published inJournal of cloud computing : advances, systems and applications Vol. 14; no. 1; pp. 16 - 14
Main Authors Kong, Xianglong, Liu, Qiyu, Huang, Wei, Du, Jiayu, Li, Hongfa, Ji, Wen, Zhang, Fan
Format Journal Article
LanguageEnglish
Published Berlin/Heidelberg Springer Berlin Heidelberg 01.12.2025
Springer Nature B.V
SpringerOpen
Subjects
Automation
Cloud computing
Computer Communication Networks
Computer Science
Computer System Implementation
Computer Systems Organization and Communication Networks
Configurations
Digital switching
Information Systems Applications (incl.Internet)
Localization
Performance evaluation
Read point
Security
Software
Software configuration
Software Engineering/Programming and Operating Systems
Source code
Special Purpose and Application-Based Systems
System security
Software configuration
Read point
System security
Online AccessGet full text

Cover

More Information
Summary:Configuration files are widely used for customizing the status and behavior of cloud systems without modifying source code. The configurable system performs flexibly to meet different requirements. Several security risks come with the flexibility, since the configuration files are directly accessible to users. In this work, we propose config-flow analysis to locate suspicious usage and design three types of code-level heterogeneous operations to build security protection for related read points. The config-flow analysis can address the propagation of configuration options and further help to boost configuration security from read points to the end of usage sequence. For the three types of commonly used configuration files, i.e., key-value pairs, serialization data, and scripts, we evaluated the effectiveness of read point identification and heterogeneous operations on 14 open-source projects. The experimental results show that the overall precision of file and option read point identification is 97% and 96%, and our approach can ensure projects keep security against configuration-related vulnerabilities with acceptable performance loss.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2192-113X
2192-113X
DOI:10.1186/s13677-025-00740-1