Mining security-sensitive operations in legacy code using concept analysis

Vinod Ganapathy, David King, Trent Jaeger, Somesh Jha

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Scopus citations

Abstract

This paper presents an approach to statically retrofit legacy servers with mechanisms for authorization policy enforcement. The approach is based upon the observation that security-sensitive operations performed by a server are characterized by idiomatic resource manipulations, called fingerprints. Candidate fingerprints are automatically mined by clustering resource manipulations using concept analysis. These fingerprints are then used to identify security-sensitive operations performed by the server. Case studies with three real-world servers show that the approach can be used to identify security-sensitive operations with a few hours of manual effort and modest domain knowledge.

Original languageEnglish (US)
Title of host publicationProceedings - 29th International Conference on Software Engineering, ICSE 2007
Pages458-467
Number of pages10
DOIs
StatePublished - Sep 25 2007
Event29th International Conference on Software Engineering, ICSE 2007 - Minneapolis, MN, United States
Duration: May 20 2007May 26 2007

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Other

Other29th International Conference on Software Engineering, ICSE 2007
CountryUnited States
CityMinneapolis, MN
Period5/20/075/26/07

All Science Journal Classification (ASJC) codes

  • Software

Fingerprint Dive into the research topics of 'Mining security-sensitive operations in legacy code using concept analysis'. Together they form a unique fingerprint.

  • Cite this

    Ganapathy, V., King, D., Jaeger, T., & Jha, S. (2007). Mining security-sensitive operations in legacy code using concept analysis. In Proceedings - 29th International Conference on Software Engineering, ICSE 2007 (pp. 458-467). [4222607] (Proceedings - International Conference on Software Engineering). https://doi.org/10.1109/ICSE.2007.54