Monday, May 15, 2006
4:00 - 5:00 PM
2310 CS
|
Department of Computer Sciences, University of Wisconsin, Madison ( web)
Retrofitting Legacy Code for Authorization Policy Enforcement
Joint work with Trent Jaeger and Somesh Jha. This is a
25-minute conference practice talk for the 2006 IEEE
Symposium on Security and Privacy.
Researchers have argued that the best way to construct a
secure system is to proactively integrate security into
the design of the system. However, this tenet is rarely
followed because of economic and practical
considerations. Instead, security mechanisms are added
as the need arises, by retrofitting legacy
code. Existing techniques to do so are manual and ad
hoc, and often result in security holes.
We present program analysis techniques to assist the
process of retrofitting legacy code for authorization
policy enforcement. These techniques can be used to
retrofit legacy servers, such as X window, web, proxy,
and cache servers. Because such servers manage multiple
clients simultaneously, and offer shared resources to
clients, they must have the ability to enforce
authorization policies. A developer can use our
techniques to identify security-sensitive locations in
legacy servers, and place reference monitor calls to
mediate these locations. We demonstrate our techniques
by retrofitting an X11 server to enforce authorization
policies on its X clients.
|
Created and maintained by Mihai Christodorescu (
http://www.cs.wisc.edu/~mihai)
Created: Wed Aug 13 10:30:10 CDT 2003
Last modified: Fri May 12 13:05:03 Central Daylight Time 2006