Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

Vinod Ganapathy, David King, Trent Jaeger, and Somesh Jha.

In 29th International Conference on Software Engineering.

Minneapolis, Minnesota, May 2007.

This paper presents an approach to statically retrofit legacy servers with mechanisms for authorization policy enforcement. The approach is based upon the observation that security-sensitive operations performed by a server are characterized by idiomatic resource manipulations, called fingerprints. Candidate fingerprints are automatically mined by clustering resource manipulations using concept analysis. These fingerprints are then used to identify security-sensitive operations performed by the server. Case studies with three real-world servers show that the approach can be used to identify security-sensitive operations with a few hours of manual effort and modest domain knowledge.

Paper: [pdf] [ps]

This page updated January 21, 2007.