This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).
Though perhaps unfortunate, as a practical matter software is often
built with functionality as a primary goal, and security features are
only added later, often after vulnerabilities have been identified.
To reduce the cost and increase assurance in the process of security
retrofitting, the aim to develop a methodology involving automated and
semi-automated tools and techniques to add authorization policy
enforcement functionality to legacy software systems.
The main insight is that major portions of the tasks involved in
retrofitting code can be or already have been automated, so the design
process focuses on enabling further automation and aggregating these
tasks into a single, coherent approach.
More specifically, techniques and tools are being developed to: (1)
identify and label security-relevant objects and I/O channels by
analyzing and instrumenting annotated application source code; (2)
insert code to mediate access to labeled entities; (3) abstract the
inserted checks into policy-relevant, security-sensitive operations
that are authorized (or denied) by the application's security policy;
(4) integrate the retrofitted legacy code with the site's specific
policy at deployment time to ensure, through advanced policy analysis,
that the application enforces that site's policy correctly, and (5)
verify correct enforcement of OS policy delegation by the retrofitted
The techniques and tools being developed are useful not only
for retrofitting, but also for augmenting and verifying existing code
already outfitted with security functionality; hence improving the
state-of-the-art in creating more secure software.
|Effective start/end date||9/1/09 → 8/31/13|
- National Science Foundation: $300,000.00