LLMSecConfig: An LLM-Based Approach for Fixing Software Container Misconfigurations

TL;DR

This paper presents LLMSecConfig, a novel framework combining static analysis and large language models to automatically fix security misconfigurations in container orchestrator configurations, achieving high success rates.

Contribution

It introduces an innovative LLM-based approach with advanced prompting and retrieval techniques to automatically repair security misconfigurations in container setups.

Findings

94% success rate in fixing misconfigurations

Low rate of introducing new misconfigurations

Effective combination of SATs and LLMs for security fixes

Abstract

Security misconfigurations in Container Orchestrators (COs) can pose serious threats to software systems. While Static Analysis Tools (SATs) can effectively detect these security vulnerabilities, the industry currently lacks automated solutions capable of fixing these misconfigurations. The emergence of Large Language Models (LLMs), with their proven capabilities in code understanding and generation, presents an opportunity to address this limitation. This study introduces LLMSecConfig, an innovative framework that bridges this gap by combining SATs with LLMs. Our approach leverages advanced prompting techniques and Retrieval-Augmented Generation (RAG) to automatically repair security misconfigurations while preserving operational functionality. Evaluation of 1,000 real-world Kubernetes configurations achieved a 94\% success rate while maintaining a low rate of introducing new misconfigurations. Our work makes a promising step towards automated container security management, reducing the manual effort required for configuration maintenance.