Automated extraction of security policies from natural-language software documents

Xusheng Xiao, Amit Paradkar, Suresh Thummalapenta, Tao Xie
2012 Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering - FSE '12  
Access Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL
more » ... al requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%. Table 1: Identified subject, action, and resource elements in sentences matched with semantic patterns for ACP sentences. Semantic Pattern Examples Modal Verb in Main Verb Group An HCP [subject] can view [action] the patient's account [resource] .
doi:10.1145/2393596.2393608 dblp:conf/sigsoft/XiaoPTX12 fatcat:qf2mdh5qinbdbox5lcb3h2ecq4