An integrated security model for component-based systems

Maliciously planted code in third-party components, as well as coding errors, design flaws and functional failures that could be subverted by malicious attackers, expose component-based systems (CBS) to potentially serious security threats. Approaches to securing CBSs fall basically into two categories: execution of untrusted components in a secure environment and secure composition of components at the design stage. Taking the former approach, this research uses logical separation instead of the physical separation. Works addressing security in this manner are limited and tend to focus on assuring security from the operating systems perspective, or the perspective of a single security objective. The latter is a limitation, particularly in modern industrial applications requiring the assurance of more than one security objective within the same application at the same time. In this respect, this paper presents an integrated multi-objective component security (ICS) model comprising Bell-LaPadula and Biba security models, for preventing security breaches in confidentiality and integrity in CBS.

[1]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[2]  William D. Young,et al.  Verifiable Computer Security and Hardware: Issues , 1991 .

[3]  Leonard J. LaPadula,et al.  MITRE technical report 2547, volume II , 1996 .

[4]  R. Y. Kain,et al.  A further note on the confinement problem , 1996, 1996 30th Annual International Carnahan Conference on Security Technology.

[5]  Qun Zhong,et al.  Security Control for COTS Components , 1998, Computer.

[6]  Greg Law A new protection model for component-based operating systems , 2000, Conference Proceedings of the 2000 IEEE International Performance, Computing, and Communications Conference (Cat. No.00CH37086).

[7]  Dorothy E. Denning,et al.  The SeaView Security Model , 1990, IEEE Trans. Software Eng..

[8]  H. Singer An Historical Perspective , 1995 .

[9]  Emilio Tuosto,et al.  Security Issues in Component-based Design , 2001, Electron. Notes Theor. Comput. Sci..

[10]  Khaled M. Khan,et al.  Composing Security-Aware Software , 2002, IEEE Softw..

[11]  Gernot Heiser,et al.  Components + security = OS extensibility , 2001, Proceedings 6th Australasian Computer Systems Architecture Conference. ACSAC 2001.

[12]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[13]  Eric Altendorf,et al.  Using J2EE on a Large, Web-Based Project , 2002, IEEE Softw..

[14]  Trent Jaeger,et al.  Security architecture for component-based operating systems , 1998, ACM SIGOPS European Workshop.

[15]  Jan Vitek,et al.  Secure composition of untrusted code: box π, wrappers, and causality types , 2003 .

[16]  David Elliott Bell,et al.  Looking back at the Bell-La Padula model , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[17]  Erland Jonsson,et al.  A Map of Security Risks Associated wuth Using COTS , 1998, Computer.

[18]  Tim Kelly,et al.  Supporting the use of COTS in safety critical applications , 1997 .

[19]  Jeffrey M. Voas,et al.  The Challenges Of Using COTS Software In Component-Based Development , 1998, Computer.

[20]  Qi Shi,et al.  Secure composition of systems , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[21]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[22]  Jan Vitek,et al.  Secure composition of insecure components , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[23]  Thomas P. von Hoff,et al.  Security for Industrial Communication Systems , 2005, Proceedings of the IEEE.

[24]  Joos Vandewalle,et al.  Simultaneous enforcement of the Bell-LaPadula and the Biba security policy models in an OSI-distributed system , 1992, [Proceedings] Singapore ICCS/ISITA `92.

[25]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[26]  Paul A. Karger,et al.  Thirty years later: lessons from the Multics security evaluation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[27]  Yufang Sun,et al.  Enforcing mandatory integrity protection in operating system , 2001, Proceedings 2001 International Conference on Computer Networks and Mobile Computing.

[28]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[29]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[30]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.