Search

Your search keyword '"Minna, Francesco"' showing total 8 results
Start Over Author "Minna, Francesco"
8 results on '"Minna, Francesco"'

1. Analyzing and Mitigating (with LLMs) the Security Misconfigurations of Helm Charts from Artifact Hub

Author

Minna, Francesco, Massacci, Fabio, and Tuma, Katja

Subjects
Computer Science - Software Engineering
Abstract

Background: Helm is a package manager that allows defining, installing, and upgrading applications with Kubernetes (K8s), a popular container orchestration platform. A Helm chart is a collection of files describing all dependencies, resources, and parameters required for deploying an application within a K8s cluster. Objective: The goal of this study is to mine and empirically evaluate the security of Helm charts, comparing the performance of existing tools in terms of misconfigurations reported by policies available by default, and measure to what extent LLMs could be used for removing misconfiguration. We also want to investigate whether there are false positives in both the LLM refactorings and the tool outputs. Method: We propose a pipeline to mine Helm charts from Artifact Hub, a popular centralized repository, and analyze them using state-of-the-art open-source tools, such as Checkov and KICS. First, such a pipeline will run several chart analyzers and identify the common and unique misconfigurations reported by each tool. Secondly, it will use LLMs to suggest mitigation for each misconfiguration. Finally, the chart refactoring previously generated will be analyzed again by the same tools to see whether it satisfies the tool's policies. At the same time, we will also perform a manual analysis on a subset of charts to evaluate whether there are false positive misconfigurations from the tool's reporting and in the LLM refactoring., Comment: MSR 2024 - Registered Reports

Published
2024

2. Towards a Security Stress-Test for Cloud Configurations

Author

Minna, Francesco, Massacci, Fabio, and Tuma, Katja

Subjects
Computer Science - Cryptography and Security
Abstract

Securing cloud configurations is an elusive task, which is left up to system administrators who have to base their decisions on ``trial and error'' experimentations or by observing good practices (e.g., CIS Benchmarks). We propose a knowledge, AND/OR, graphs approach to model cloud deployment security objects and vulnerabilities. In this way, we can capture relationships between configurations, permissions (e.g., CAP\_SYS\_ADMIN), and security profiles (e.g., AppArmor and SecComp), as first-class citizens. Such an approach allows us to suggest alternative and safer configurations, support administrators in the study of what-if scenarios, and scale the analysis to large scale deployments. We present an initial validation and illustrate the approach with three real vulnerabilities from known sources., Comment: Conference: The IEEE International Conference on Cloud Computing (CLOUD) 2022

Published
2022

5. An Open-Source Cloud Testbed for Security Experimentation

Author

Minna, Francesco, Massacci, Fabio, Fazio, Maria, Panda, Dhabaleswar K., Prodan, Radu, Cardellini, Valeria, Kantarci, Burak, Rana, Omer, Villari, Massimo, Computer Systems, Network Institute, Fazio, Maria, Panda, Dhabaleswar K., Prodan, Radu, Cardellini, Valeria, Kantarci, Burak, Rana, Omer, and Villari, Massimo

Subjects
Docker, SDG 17 - Partnerships for the Goals, Microservices, Security, Testbed, cloud, experiments, Kubernetes, Containers
Abstract

The use of container and orchestration technologies, such as Docker and Kubernetes keeps growing every year. For the purpose of security experimentation and reproducibility of security attacks and defenses, an open-source testbed would also be an important step forward. Yet, while several security experimentation testbeds from web application testing to capture-the-flag (CTF) competitions have been proposed, a similar solution for cloud experiments is wanting. To fill this gap, we propose an open-source cloud testbed that, by using Domain Specific Language (DSL) files (e.g. with JSON or YAML syntax), allows defining experimentation scenarios as configuration files. Using DSL files allows to create, share, customize, automatically deploy, and reproduce different scenarios in a user-friendly manner. We describe the design and the corresponding tools and technologies for different implementations.

Published
2022

Catalog

Books, media, physical & digital resources
See catalog results