Inferring semantic mapping between policies and code: the clue is in the language
Venue
International Symposium on Engineering Secure Software and Systems, Springer (2015)
Publication Year
2015
Authors
Pauline Anthonysamy, Matthew Edwards, Chris Weichel, Awais Rashid
BibTeX
Abstract
A common misstep in the development of security and privacy solutions is the
failure to keep the demands resulting from high-level policies in line with the
actual implementation that is supposed to operationalize those policies. This is
especially problematic in the domain of social networks, where software typically
predates policies and then evolves alongside its user base and any changes in
policies that arise from their interactions with (and the demands that they place
on) the system. Our contribution targets this specific problem, drawing together
the assurances actually presented to users in the form of policies and the large
codebases with which developers work. We demonstrate that a mapping between
policies and code can be inferred from the semantics of the natural language. These
semantics manifest not only in the policy statements but also coding conventions.
Our technique, implemented in a tool (CASTOR ), can infer semantic mappings with F1
accuracy of 70% and 78% for two social networks, Diaspora and Friendica
respectively – as compared with a ground truth mapping established through manual
examination of the policies and code.
