nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

Inferring Semantic Mapping Between Policies and Code: The Clue is in the Language

verfasst von : Pauline Anthonysamy, Matthew Edwards, Chris Weichel, Awais Rashid

Erschienen in: Engineering Secure Software and Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A common misstep in the development of security and privacy solutions is the failure to keep the demands resulting from high-level policies in line with the actual implementation that is supposed to operationalize those policies. This is especially problematic in the domain of social networks, where software typically predates policies and then evolves alongside its user base and any changes in policies that arise from their interactions with (and the demands that they place on) the system. Our contribution targets this specific problem, drawing together the assurances actually presented to users in the form of policies and the large codebases with which developers work. We demonstrate that a mapping between policies and code can be inferred from the semantics of the natural language. These semantics manifest not only in the policy statements but also coding conventions. Our technique, implemented in a tool (CASTOR), can infer semantic mappings with F1 accuracy of 70 % and 78 % for two social networks, Diaspora and Friendica respectively – as compared with a ground truth mapping established through manual examination of the policies and code.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel AppPAL for Android

Nächstes Kapitel Idea: Supporting Policy-Based Access Control on Database Systems

Nur mit Berechtigung zugänglich

http://wordnet.princeton.edu/.

http://nltk.googlecode.com/svn/trunk/doc/howto/wordnet.html.

https://github.com/diaspora.

https://github.com/friendica/friendica.

http://www.essex.ac.uk/linguistics/external/clmt/w3c/corpus_ling/content/corpora/list/private/brown/brown.html.

See example policies at http://www.paulineanthonysamy.com/myData.html.

Naive bayes. http://www.nltk.org/_modules/nltk/classify/naivebayes.html

SVM. http://www.nltk.org/_modules/nltk/classify/svm.html

Code contracts (2010). http://research.microsoft.com/en-us/projects/contracts/

EU data directive 95/46/ec, February 2014. http://eur-lex.europa.eu/

Facebook photo leak flaw raises security concerns, March 2015. http://www.computerweekly.com/news/2240242708/Facebook-photo-leak-flaw-raises-security-concerns

Anthonysamy, P.: A framework to detect information asymmetries between privacy policies and controls of OSNs. Ph.D. thesis, Lancaster University (2014)

Anthonysamy, P., Greenwood, P., Rashid, A.: Social networking privacy: understanding the disconnect from policy to controls. IEEE Computer, June 2013

Anthonysamy, P., Greenwood, P., Rashid, A.: A method for analysing traceability between privacy policies and privacy controls of online social networks. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 187–202. Springer, Heidelberg (2014)CrossRef

Antoniol, G., Canfora, G., Casazza, G., De Lucia, A., Merlo, E.: Tracing object-oriented code into functional requirements. In: 8th International Workshop on Program Comprehension, 2000, Proceedings IWPC 2000, pp. 79–86 (2000)

10.

Antoniol, G., Canfora, G., de Lucia, A., Casazza, G.: Information retrieval models for recovering traceability links between code and documentation. In: Proceedings of the International Conference on Software Maintenance (ICSM 2000). IEEE Computer Society, Washington, DC (2000)

11.

Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL). Technical report, Rschlikon (2003)

12.

Breiman, L.: Random forests. Mach. Learn. 45, 5–32 (2001). http://dx.doi.org/10.1023/A%3A1010933404324

13.

Chawla, N.V., Japkowicz, N., Kotcz, A.: Editorial: special issue on learning from imbalanced data sets. SIGKDD Explor. Newsl. 6(1), 1–6 (2004)CrossRef

14.

Cleland-Huang, J., Czauderna, A., Gibiec, M., Emenecker, J.: A ML approach for tracing regulatory codes to product specific requirements. In: ICSE (2010)

15.

Cranor, L., Langheinrich, M., Marchiori, M.: A P3P preference exchange language 1.0 (appel 1.0). World Wide Web Consortium, Working Draft WD-P3P-preferences-20020415, April 2002

16.

Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 196–205. ACM, New York (2005)

17.

Haiduc, S., Bavota, G., Oliveto, R., De Lucia, A., Marcus, A.: Automatic query performance assessment during the retrieval of software artifacts. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pp. 90–99. ACM, New York (2012)

18.

Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in javascript web applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 270–283. ACM, New York (2010)

19.

Klein, D., Manning, C.D.: Accurate unlexicalized parsing. In: Proceedings of the 41st Annual Meeting on Association for Computational Linguistics (ACL 2003) - vol. 1. pp. 423–430, Stroudsburg, PA, USA (2003)

20.

Ma, L., Torney, R., Watters, P., Brown, S.: Automatically generating classifier for phishing email prediction. In: 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks (ISPAN), pp. 779–783, December 2009

21.

Massey, A., Otto, P., Hayward, L., Antn, A.: Evaluating existing security and privacy requirements for legal compliance. Requirements Engineering (2010)

22.

May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: Proceedings of the 19th IEEE Workshop on Computer Security Foundations, CSFW 2006, pp. 85–97. IEEE Computer Society, Washington, DC (2006)

23.

Meyer, B.: Object-Oriented Software Construction, 1st edn. Prentice-Hall Inc, Upper Saddle River (1988)MATH

24.

Pandita, R., Xiao, X., Zhong, H., Xie, T., Oney, S., Paradkar, A.: Inferring method specifications from natural language api descriptions. In: Proceedings of the 34th International Conference on Software Engineering, ICSE 2012 (2012)

25.

Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., Lorensen, W.E., et al.: Object-Oriented Modeling and Design, vol. 199. Prentice Hall, Upper Saddle River (1991)MATH

26.

Wagner, D.: Static analysis and computer security: new techniques for software assurance. Ph.D. thesis, University of California at Berkeley, December 2000

Titel: Inferring Semantic Mapping Between Policies and Code: The Clue is in the Language
verfasst von: Pauline Anthonysamy
Matthew Edwards
Chris Weichel
Awais Rashid
Verlag: Springer International Publishing
Buch: Engineering Secure Software and Systems
Print ISBN: 978-3-319-30805-0

Electronic ISBN: 978-3-319-30806-7

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-30806-7_15

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"