Seminars & Colloquia
Department of Computer Science, University of Wisconsin
"Retrofitting Legacy Code for Security"
Friday March 30, 2007 10:00 AM
Location: 3-211, EB II NCSU Centennial Campus
(Visitor parking instructions)
In my talk, I will focus on the problem of retrofitting legacy software with mechanisms for authorization policy enforcement. A developer faced with the task of adding authorization checks must answer two key questions: (a) what are the security-sensitive operations that must be mediated with authorization checks? and (b) where in the software are these operations performed? I will present program analysis and transformation techniques that reduce the manual effort needed to answer these questions and add authorization checks. The cornerstone of these techniques is a formalism called fingerprints that helps characterize security-sensitive operations. I will present both static and dynamic program analysis techniques to mine fingerprints from legacy software, and show how fingerprints aid in adding authorization checks. Experiments with several real-world software systems show that these techniques can drastically reduce the effort needed to retrofit legacy software with security mechanisms.
Host: Douglas Reeves, Computer Science, NCSU