论文信息 - COTS, the safety nightmare of component-oriented frameworks

COTS, the safety nightmare of component-oriented frameworks

Third party components seem to be an easy solution when implementing a sofisticated software application. This paper takes a closer look at the security implications for a system that uses third party components. We will focus on third party components for which the source code is not available and thus the exact behavior is unknown. Different methods that can be used for testing and validating the given specifications as well as the undocumented behavior of these components will be discussed. On-line as well as off-line methods will be presented. We will conclude that no single method provides an acceptable degree of security and, because the testing and validation effort must remain lower than designing and producing the component for yourself, not even the combination of all possible methods provides a sufficient degree of security for a mission critical application. COTS, the safety nightmare of component-oriented frameworks Lieven Desmet, Liesbeth Jaco, Koenraad Mertens, Tine Verhanneman DistriNet, Dept. of Computer Science, K.U.Leuven DistriNet Workshop on Run-Time Adaptation in Distributed Software November 29-30, 2002

[1] Kurt C. Wallnau,et al. Is Third Party Certification Necessary , 2001 .

[2] Jean-Marc Jézéquel,et al. Making Components Contract Aware , 1999, Computer.

[3] Erland Jonsson,et al. A Map of Security Risks Associated wuth Using COTS , 1998, Computer.

[4] Heiko Krumm,et al. State-Based Security Policy Enforcement in Component-Based E-Commerce Applications , 2002, I3E.

[5] Heiko Krumm,et al. Trust-adapted enforcement of security policies in distributed component-structured applications , 2001, Proceedings. Sixth IEEE Symposium on Computers and Communications.

[6] Christine Mingins,et al. Building trust in third-party components using component wrappers in the .NET frameworks , 2002 .

[7] Jeffrey M. Voas,et al. A Defensive Approach to Certifying COTS Software , 1998 .

[8] Pierre Verbaeten,et al. DiPS: Filling the Gap between System Software and Testing , 2002 .

[9] Pierre Verbaeten,et al. DiPSUnit: an Extension of the JUnit Test Framework for DiPS , 2002 .

[10] Gregory M. Kapfhammer,et al. An approach for understanding and testing third party software components , 2002, Annual Reliability and Maintainability Symposium. 2002 Proceedings (Cat. No.02CH37318).