BibTeX
@MISC{Herrmann04trust-basedmonitoring,
author = {Peter Herrmann and Heiko Krumm},
title = {Trust-Based Monitoring of Component-Structured Software },
year = {2004}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
In contrast to traditional software, component-structured systems are developed by combining independently designed and sold software components. This technology promises an easier reuse of software building blocks and, in consequence, a significant reduction of the efforts and costs to produce software applications. On the other side, component-structured software is subject to a new class of security threats. In particular, a maliciously acting component may easily spoil the application incorporating it. In this paper we introduce an approach addressing this particular threat. A so-called security wrapper monitors the events passing the interface of a component and checks them for compliance with formally specified security policies guaranteeing a benevolent behavior of the checked component. We introduce the layout and functionality of the wrappers and outline the formal security specifications which can be easily derived from a set of specification patterns. Unfortunately, the security wrappers cause runtime overhead which, however, can be significantly reduced by relaxing the degree of monitoring trustworthy components. In order to support the decision, whether a component can be trusted, we developed a special trust information service. This service collects evaluation reports of a particular component running in various applications which are provided by the different security wrappers. Based on the evaluation reports, the trust information service computes a so-called trust value which is delivered to the security wrappers, and a wrapper adjusts the degree of supervision of a component based on its trust value. The use of the security wrappers as well as of the trust management approach is clarified by means of an e-commerce example realizing the automated procurement of goods for a fastfood restaurant.
Keyphrases
component-structured software security wrapper trust-based monitoring evaluation report acting component e-commerce example component-structured system new class different security wrapper fastfood restaurant traditional software trust management approach specification pattern formal security specification particular component particular threat special trust information service checked component software building block software application so-called trust value significant reduction so-called security wrapper runtime overhead automated procurement benevolent behavior security policy various application security threat monitoring trustworthy component software component trust information service trust value
