Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis

Abstract

We present an approach based on concept analysis to retrofit legacy servers with mechanisms for authorization policy enforcement. Our approach is based upon the observation that security-sensitive operations are characterized by idiomatic resource manipulations, called fingerprints. We statically mine fingerprints using concept analysis and then use them to identify security-sensitive operations and locate where they are performed by the server. Case studies with three real-world servers show that our approach is affordable and effective. We were able to identify security-sensitive operations for each of these servers with a few hours of manual effort and modest domain knowledge.