A framework for an active interface to characterise compositional security contracts of software components

This paper presents a framework for constructing compositional security contracts (CsC) based on the security property exposed by the atomic component. The framework uses interface structure of components in order to determine the CsC of software components. An active interface provides the component a basis for reasoning and assessing a component's suitability to meet certain security requirements of a particular application. Based on the security information available from the component interface, an active interface can reason whether the candidate component meets the security requirements for an envisaged systemwide application. Any security mismatches or discrepancies between components can be identified by the participating components before an actual composition takes place. Exposing the security properties of software components can be the basis for a trust relationship among components, and the exposed security could affect the underlying security of the enclosing system.

[1]  Israel Ben-Shaul,et al.  A negotiation model for dynamic composition of distributed applications , 1998, Proceedings Ninth International Workshop on Database and Expert Systems Applications (Cat. No.98EX130).

[2]  Dennis W. Fife Workshop Reports , 1966 .

[3]  Jeannette M. Wing,et al.  Specification matching of software components , 1997 .

[4]  Khaled M. Khan,et al.  Security characterisation of software components and their composition , 2000, Proceedings 36th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Asia 2000.

[5]  Jeffrey M. Voas,et al.  Certifying Software for High-Assurance Environments , 1999, IEEE Softw..

[6]  Jean-Marc Jézéquel,et al.  Making Components Contract Aware , 1999, Computer.

[7]  Tadayoshi Kohno,et al.  Trust (and mistrust) in secure applications , 2001, CACM.

[8]  Alexander Repenning,et al.  Using Components for Rapid Distributed Software Development , 2001, IEEE Softw..

[9]  Dewayne E. Perry Software evolution and 'light' semantics , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[10]  Jun Han A comprehensive interface definition framework for software components , 1998, Proceedings 1998 Asia Pacific Software Engineering Conference (Cat. No.98EX240).

[11]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Clemens A. Szyperski,et al.  Component software - beyond object-oriented programming , 2002 .

[13]  N. Mamode,et al.  Trust and mistrust , 1994 .

[14]  Tolga Acar,et al.  Managing System and Active-Content Integrity , 2000, Computer.

[15]  Rudolf K. Keller,et al.  International workshop on large-scale software composition , 1999, SOEN.

[16]  Khaled M. Khan,et al.  Characterising user data protection of software components , 2000, Proceedings 2000 Australian Software Engineering Conference.