Project description

Better Safe Than Sorry

This repository is part of the paper Better Safe Than Sorry! Automated Identification of Breaking Security-Configuration Rules accepted at the 4th ACM/IEEE International Conference on Automation of Software Test (AST).

Institutions like the Center for Internet Security publish security-configuration guides(also called benchmarks) that help us configure systems more securely. This configuration hardening can mitigate the risk of successful attacks, which may cause damage to our systems and data. A remaining problem with applying these guides are so-called "breaking rules." Applying breaking rules on a production system will break at least one functionality with the corresponding ramifications. We could safely apply the remaining rules if we identified all breaking rules and removed them from the guide.

Our new approach combines techniques from software testing, machine learning, and graph theory to automatically identify these breaking rules. This repository includes our Python scripts to

generate the covering arrays from a given security-configuration guide
Test the different covering arrays
Analyze the results to find the breaking rules

One can redo all our experiments presented in the article using the code in this repository.

Setup

With PyPi

The easiest way to use the scrips in this repository is to install the package from PyPi

pip install better-safe-than-sorry
better-safe-than-sorry --version

With Poetry

One can also use poetry to install the dependencies.

cd /path/to/better-safe-than-sorry/
poetry install
poetry run better-safe-than-sorry --version

Steps

Generate Profiles based on Covering Arrays

See here.

Test Execution

Simulation

See here.

Test Execution with Vagrant

See here

Test Result Analysis

See here.

Resources

Sfera Automation files

The folder rsc/sfera_automation_jsons contains variants of sfera_automation.json files based on the Windows 10 version 1909 guide by the Center for Internet Security. sfera_automation.json is a JSON-based file format used at Siemens to automatically implement Windows-based security-configuration guides. We generated the variants were generated using the IPOG and IPOG-D algorithms and include custom profiles for combinatorial testing of strength 2 to 5.

Contact

If you have any questions, please create an issue or contact Patrick Stöckle.

Project details

These details have not been verified by PyPI

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.1.2

Mar 4, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

better-safe-than-sorry-0.1.2.tar.gz (24.4 kB view hashes)

Uploaded Mar 4, 2023 Source

Built Distribution

better_safe_than_sorry-0.1.2-py3-none-any.whl (33.6 kB view hashes)

Uploaded Mar 4, 2023 Python 3

Hashes for better-safe-than-sorry-0.1.2.tar.gz

Hashes for better-safe-than-sorry-0.1.2.tar.gz
Algorithm	Hash digest
SHA256	`0f88c3fb82df6a04c4f21ef153d7e2257044163ce50876c6edc9a4c716ed8c34`
MD5	`6ab2e7e395d0648a16f54407807d3ab8`
BLAKE2b-256	`531513dd65f9277440e1734baf148003fad525e63da74f4074dec71e00dddb18`

Hashes for better_safe_than_sorry-0.1.2-py3-none-any.whl

Hashes for better_safe_than_sorry-0.1.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`5da54118454b27e7763d52009be56b4651cef033fd81bb0de38d81f32d790293`
MD5	`e02786f032dabe9470e09bfa3f08547d`
BLAKE2b-256	`349a9b58c1e0a7283284094f3fa688a1343ff272cad51727afce1ca6758fa4ed`