Program partitioning based on static call graph analysis for privilege separation

The major cause of IT security incidents are software issues, hence this article presents an automated approach for source code partitioning and privilege separation. Based on static call graph analysis, functions and program parts of a monolithic software are separated in several processes and grouped by the privilege they need. For the partitioning we introduce a metric that estimates the potential security gain by considering the complexity and privilege distribution of the separated software. Furthermore, we present a partitioning heuristic that uses this metric to create a secure software partitioning.