Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

Vinod Ganapathy, David King, Trent Jaeger, Somesh Jha.

Proceedings of the 29th International Conference on Software Engineering (ICSE 2007); pages 458--467; Minneapolis, Minnesota; May 20-26, 2007.

This paper presents an approach to statically retrofit legacy servers with mechanisms for authorization policy enforcement. The approach is based upon the observation that security-sensitive operations performed by a server are characterized by idiomatic resource manipulations, called fingerprints. Candidate fingerprints are automatically mined by clustering resource manipulations using concept analysis. These fingerprints are then used to identify security-sensitive operations performed by the server. Case studies with three real-world servers show that the approach can be used to identify security-sensitive operations with a few hours of manual effort and modest domain knowledge.

Paper: [ PDF | HTML ] (© IEEE)
Slides: [ Powerpoint | PDF ]
DOI: [ 10.1109/ICSE.2007.54 ]
Data: [ Concept Lattices ]

Papers page