Abstract: Techniques for tailoring security configurations for least-privilege applications are provided. In one technique, multiple software artifacts associated with a software application are identified. For each software artifact, a call graph is generated, the call graph is added to a set of call graphs, and a set of dependencies for the software artifact is detected. The set of call graphs are combined to generate a merged call graph. One or more portions of the merged call graph are pruned to generate a pruned call graph. Annotation data is stored that associates elements in the pruned call graph with the set of dependencies for each software artifact. Based on the annotation data, reachable dependencies are identified. Based on the reachable dependencies, a set of security policies is generated for the software application.

Abstract: Techniques for tailoring security configurations for least-privilege applications are provided. In one technique, multiple software artifacts associated with a software application are identified. For each software artifact, a call graph is generated, the call graph is added to a set of call graphs, and a set of dependencies for the software artifact is detected. The set of call graphs are combined to generate a merged call graph. One or more portions of the merged call graph are pruned to generate a pruned call graph. Annotation data is stored that associates elements in the pruned call graph with the set of dependencies for each software artifact. Based on the annotation data, reachable dependencies are identified. Based on the reachable dependencies, a set of security policies is generated for the software application.