Cookies Policy
The website need some cookies and similar means to function. If you permit us, we will use those means to collect data on your visits for aggregated statistics to improve our service. Find out More
Accept Reject
  • Menu
Article

Portuguese researchers developed a pioneering tool for detection of security risks in Infrastructure as Code

The GLITCH solution transforms the original code of programs into a specific model and carries out an analysis to detect code smells — patterns that occur on the code and can lead to security vulnerabilities.

14th November 2023

All the digital platforms we use are based on code that allows their correct functioning. The existence of errors on the code can lead to disruptions with different levels of severity and consequences for the user. In this sense, it's possible to define security code smells patterns occurring in the code of a software application, which must be avoided to prevent vulnerabilities that can be exploited by malicious agents. 

Alexandra Mendes, researcher at INESC TEC, João F. Ferreira, Nuno Saavedra, João Gonçalves and Miguel Henriques, researchers at INESC-ID and Instituto Superior Técnico, developed GLITCH — a language-agnostic framework that detects code smells ("the violation of a good practice") in infrastructure scripts.

The variety of technologies for script writing requires the replication of code detection for smells in each technology. "Not only is duplication undesirable — because it unnecessarily leads to repeated work —, but it also leads to inconsistencies in smell detection across various technologies", explained Alexandra Mendes.

This is precisely the main innovative aspect of the GLITCH solution: it uses an intermediate representation that captures similar concepts of various Infrastructure as Code (IaC) technologies. GLITCH transforms the original code of the programs into a specific model, on which to carry out the analysis and detection of code smells is carried out. According to Alexandra Mendes, researcher at the High-Assurance Software Laboratory (HASLab), "the smell detection code is written only once on the  GLITCH representation and is immediately applicable to various technologies".

The team behind GLITCH presented the demo paper "Polyglot Code Smell Detection for Infrastructure as Code with GLITCH" at the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023), a top-tier conference with a core A* ranking, held in early September in Luxembourg; this conference is considered one of the major events in the field of software engineering.

Currently, the solution supports security smells - such as hard-coded passwords - and design and implementation smells — such as the excessive use of variables or very long lines of code on the program — in scripts written in Ansible, Chef, Docker, Puppet or Terraform.

The researcher mentioned in this news piece is associated with INESC TEC and UP-FEUP.