TC: Medium: Collaborative Research: Techniques to Retrofit Legacy Code with Security

Project: Research project

Project Details


This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).

Though perhaps unfortunate, as a practical matter software is often

built with functionality as a primary goal, and security features are

only added later, often after vulnerabilities have been identified.

To reduce the cost and increase assurance in the process of security

retrofitting, the aim to develop a methodology involving automated and

semi-automated tools and techniques to add authorization policy

enforcement functionality to legacy software systems.

The main insight is that major portions of the tasks involved in

retrofitting code can be or already have been automated, so the design

process focuses on enabling further automation and aggregating these

tasks into a single, coherent approach.

More specifically, techniques and tools are being developed to: (1)

identify and label security-relevant objects and I/O channels by

analyzing and instrumenting annotated application source code; (2)

insert code to mediate access to labeled entities; (3) abstract the

inserted checks into policy-relevant, security-sensitive operations

that are authorized (or denied) by the application's security policy;

(4) integrate the retrofitted legacy code with the site's specific

policy at deployment time to ensure, through advanced policy analysis,

that the application enforces that site's policy correctly, and (5)

verify correct enforcement of OS policy delegation by the retrofitted


The techniques and tools being developed are useful not only

for retrofitting, but also for augmenting and verifying existing code

already outfitted with security functionality; hence improving the

state-of-the-art in creating more secure software.

Effective start/end date9/1/098/31/13


  • National Science Foundation: $300,000.00


Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.