Retrofitting Legacy Code for Authorization Policy Enforcement

Berkeley/Oakland, California May 21-May 24

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/SP.2006.34

2006 IEEE Symposium on Security and P ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Vinod Ganapathy Articles by Trent Jaeger Articles by Somesh Jha

	ASCII Text	x
	Vinod Ganapathy, Trent Jaeger, Somesh Jha, "Retrofitting Legacy Code for Authorization Policy Enforcement," Security and Privacy, IEEE Symposium on, pp. 214-229, 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006.

	BibTex	x
	@article{ 10.1109/SP.2006.34, author = {Vinod Ganapathy and Trent Jaeger and Somesh Jha}, title = {Retrofitting Legacy Code for Authorization Policy Enforcement}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2006}, issn = {1081-6011}, pages = {214-229}, doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2006.34}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Retrofitting Legacy Code for Authorization Policy Enforcement SN - 1081-6011 SP214 EP229 A1 - Vinod Ganapathy, A1 - Trent Jaeger, A1 - Somesh Jha, PY - 2006 KW - null VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

Vinod Ganapathy, University of Wisconsin

Trent Jaeger, Pennsylvania State University

Somesh Jha, University of Wisconsin

Researchers have argued that the best way to construct a secure system is to proactively integrate security into the design of the system. However, this tenet is rarely followed because of economic and practical considerations. Instead, security mechanisms are added as the need arises, by retrofitting legacy code. Existing techniques to do so are manual and ad hoc, and often result in security holes. We present program analysis techniques to assist the process of retrofitting legacy code for authorization policy enforcement. These techniques can be used to retrofit legacy servers, such as X window, web, proxy, and cache servers. Because such servers manage multiple clients simultaneously, and offer shared resources to clients, they must have the ability to enforce authorization policies. A developer can use our techniques to identify security-sensitive locations in legacy servers, and place reference monitor calls to mediate these locations. We demonstrate our techniques by retrofitting the X11 server to enforce authorization policies on its X clients.

Citation:

Vinod Ganapathy, Trent Jaeger, Somesh Jha, "Retrofitting Legacy Code for Authorization Policy Enforcement," sp, pp.214-229, 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.