Do not blame users for misconfigurations

Tianyin Xu, Jiaqi Zhang, Peng Huang, Jing Zheng, Tianwei Sheng, Ding Yuan, Yuanyuan Zhou, Shankar Pasupathy

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Similar to software bugs, configuration errors are also one of the major causes of today's system failures. Many configuration issues manifest themselves in ways similar to software bugs such as crashes, hangs, silent failures. It leaves users clueless and forced to report to developers for technical support, wasting not only users' but also developers' precious time and effort. Unfortunately, unlike software bugs, many software developers take a much less active, responsible role in handling configuration errors because "they are users' faults." This paper advocates the importance for software developers to take an active role in handling misconfigurations. It also makes a concrete first step towards this goal by providing tooling support to help developers improve their configuration design, and harden their systems against configuration errors. Specifically, we build a tool, called Spex, to automatically infer configuration requirements (referred to as constraints) from software source code, and then use the inferred constraints to: (1) expose misconfiguration vulnerabilities (i.e., bad system reactions to configuration errors such as crashes, hangs, silent failures); and (2) detect certain types of error-prone configuration design and handling. We evaluate Spex with one commercial storage system and six open-source server applications. Spex automatically infers a total of 3800 constraints for more than 2500 configuration parameters. Based on these constraints, Spex further detects 743 various misconfiguration vulnerabilities and at least 112 error-prone constraints in the latest versions of the evaluated systems. To this day, 364 vulnerabilities and 80 inconsistent constraints have been confirmed or fixed by developers after we reported them. Our results have influenced the Squid Web proxy project to improve its configuration parsing library towards a more user-friendly design.

Original languageEnglish (US)
Title of host publicationSOSP 2013 - Proceedings of the 24th ACM Symposium on Operating Systems Principles
Number of pages16
StatePublished - 2013
Externally publishedYes
Event24th ACM Symposium on Operating Systems Principles, SOSP 2013 - Farmington, PA, United States
Duration: Nov 3 2013Nov 6 2013

Publication series

NameSOSP 2013 - Proceedings of the 24th ACM Symposium on Operating Systems Principles


Other24th ACM Symposium on Operating Systems Principles, SOSP 2013
Country/TerritoryUnited States
CityFarmington, PA


  • constraint
  • inference
  • misconfiguration
  • testing
  • vulnerability

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Do not blame users for misconfigurations'. Together they form a unique fingerprint.

Cite this