Abstract: Techniques are described herein for function-level limiting of privileges for a target application. Privileges dependencies for different functions of an application are determined based on static evaluation of the code base. A call graph with nodes representing the application functions is established, and the nodes are associated with the determined privilege dependencies. The graph is modified using iterative backward dataflow analysis to associate the nodes in the graph with privileges that are reachable from each node. Transition-edges are identified within the graph, where a transition-edge connects nodes having different sets of privileges. Function calls implementing the identified transition-edges are replaced, in instructions for the application (e.g., bytecode or machine code), with calls to wrapper functions.

Abstract: Techniques for tailoring security configurations for least-privilege applications are provided. In one technique, multiple software artifacts associated with a software application are identified. For each software artifact, a call graph is generated, the call graph is added to a set of call graphs, and a set of dependencies for the software artifact is detected. The set of call graphs are combined to generate a merged call graph. One or more portions of the merged call graph are pruned to generate a pruned call graph. Annotation data is stored that associates elements in the pruned call graph with the set of dependencies for each software artifact. Based on the annotation data, reachable dependencies are identified. Based on the reachable dependencies, a set of security policies is generated for the software application.

Abstract: Techniques for tailoring security configurations for least-privilege applications are provided. In one technique, multiple software artifacts associated with a software application are identified. For each software artifact, a call graph is generated, the call graph is added to a set of call graphs, and a set of dependencies for the software artifact is detected. The set of call graphs are combined to generate a merged call graph. One or more portions of the merged call graph are pruned to generate a pruned call graph. Annotation data is stored that associates elements in the pruned call graph with the set of dependencies for each software artifact. Based on the annotation data, reachable dependencies are identified. Based on the reachable dependencies, a set of security policies is generated for the software application.