Skip to main content
SpringerLink
Log in

Trust-Based Protection of Software Component Users and Designers

  • Conference paper
  • First Online:
Trust Management (iTrust 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2692))

Included in the following conference series:

Abstract

Software component technology supports the cost-effective design of applications suited to the particular needs of the application owners. This design method, however, causes two new security risks. At first, a malicious component may attack the application incorporating it. At second, an application owner may incriminate a component designer falsely for any damage in his application which in reality was caused by somebody else. The first risk is addressed by security wrappers controlling the behavior at the component interface at runtime and enforcing certain security policies in order to protect the other components of the application against attacks from the monitored component. Moreover, we use trust management to reduce the significant performance overhead of the security wrappers. Here, the kind and intensity of monitoring a component is adjusted according to the experience of other users with this component. Therefore a so-called trust information service collects positive and negative experience reports of the component from various users. Based on the reports, special trust values are computed which represent the belief or disbelief of all users in a component resp. the uncertainty about it. The wrappers adjust the intensity of monitoring a component dependent on its current trust value.

In this paper, we focus on the second security risk. To prevent that a component user sends wrong reports resulting in a bad trust value of the component, which therefore would be wrongly incriminated, the trust information service stores also trust values of the component users. The trust values are based on valuations resulting from validity checks of the experience reports sent by the component users. Therefore an experience report is tested for consistency with a log of the component interface behavior which is supplied by the component user together with the report. Moreover, the log is checked for being correct as well. By application of Jøsang’s subjective logic we make the degree, to which the experience reports of a component user are considered to compute the trust value of a component, conditional upon the user’s own trust value. Thus, users with a bad reputation cannot influence the trust value of a component since their experience reports are discounted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Szyperski, C.: Component Software — Beyond Object Oriented Programming. Addison-Wesley Longman (1997)

    Google Scholar 

  2. Beugnard, A., Jézéquel, J.M., Plouzeau, N., Watkins, D.: Making Components Contract Aware. IEEE Computer 32 (1999) 38–45

    Google Scholar 

  3. Sun Microsystems: Java Beans Specification. Available via WWW: java.sun.com/beans/docs/spec.html (1998)

    Google Scholar 

  4. Lüer, C., Rosenblum, D.S.: WREN — An Environment for Component-Based Development. Technical Report #00-28, University of California, Irvine, Department of Information and Computer Science (2000)

    Google Scholar 

  5. Sun Microsystems: Enterprise Java Beans Technology — Server Component Model for the Java Platform (White Paper). Available via WWW: java.sun.com/products/ejb/white paper.html (1998)

    Google Scholar 

  6. Microsoft: The Microsoft COM Technologies. Available via WWW: http://www.microsoft.com/com/comPapers.asp (1998)

  7. Object Management Group: CORBA Component Model Request for Proposals (1997)

    Google Scholar 

  8. Lindqvist, U., Jonsson, E.: A Map of Security Risks Associated with Using COTS. IEEE Computer 31 (1998) 60–66

    Google Scholar 

  9. Herrmann, P.: Trust-Based Procurement Support for Software Components. In: Proceedings of the 4th International Conference on Electronic Commerce Research (ICECR-4), Dallas, ATSMA, IFIP (2001) 505–514

    Google Scholar 

  10. Herrmann, P., Krumm, H.: Trust-adapted enforcement of security policies in distributed component-structured applications. In: Proceedings of the 6th IEEE Symposium on Computers and Communications, Hammamet, IEEE Computer Society Press (2001) 2–8

    Chapter  Google Scholar 

  11. Herrmann, P., Wiebusch, L., Krumm, H.: State-Based Security Policy Enforcement in Component-Based E-Commerce Applications. In: Proceedings of the 2nd IFIP Conference on E-Commerce, E-Business & E-Government (I3E), Lisbon, Kluwer Academic Publisher (2002) 195–209

    Google Scholar 

  12. Fraser, T., Badger, L., Feldman, M.: Hardening COTS Software with Generic Software Wrappers. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, IEEE Computer Society Press (1999) 2–16

    Google Scholar 

  13. Herrmann, P.: Trust-Based Security Policy Enforcement of Software Components. In: Proceedings of the 1st Internal iTrust Workshop On Trust Management In Dynamic Open Systems, Glasgow (2002)

    Google Scholar 

  14. Jøsang, A.: The right type of trust for distributed systems. In: Proceedings of the UCLA Conference on New Security Paradigms Workshops, Lake Arrowhead, ACM (1996) 119–131

    Google Scholar 

  15. Schneier, B., Kelsey, J.: Cryptographic Support for Secure Logs on Untrusted Machines. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, USENIX Press (1998) 53–62

    Google Scholar 

  16. Bellare, M., Yee, B.: Forward Integrity for Secure Audit Logs. Technical report, Computer Science and Engineering Department, University of California at San Diego (1997)

    Google Scholar 

  17. Khare, R., Rifkin, A.: Weaving a Web of Trust. World Wide Web Journal 2 (1997) 77–112

    Google Scholar 

  18. Beth, T., Borcherding, M., Klein, B.: Valuation of Trust in Open Networks. In: Proceedings of the European Symposium on Research in Security (ESORICS). Lecture Notes in Computer Science 875, Brighton, Springer-Verlag (1994) 3–18

    Google Scholar 

  19. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The Role of Trust Management in Distributed Systems Security. In Vitek, J., Jensen, C., eds.: Internet Programming: Security Issues for Mobile and Distributed Objects. Springer-Verlag (1999) 185–210

    Google Scholar 

  20. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized Trust Management. In: Proceedings of the 17th Symposium on Security and Privacy, Oakland, IEEE (1996) 164–173

    Google Scholar 

  21. Chu, Y.H., Feigenbaum, J., LaMacchia, B., Resnick, P., Strauss, M.: REFEREE: Trust Management for Web Applications. World Wide Web Journal 2 (1997) 127–139

    Google Scholar 

  22. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote Trust Management System, Version 2. Report RFC-2704, IETF (1999)

    Google Scholar 

  23. Herzberg, A., Mass, Y.: Relying Party Credentials Framework. Electronic Commerce Research Journal (2003) To appear.

    Google Scholar 

  24. Shepherd, M., Dhonde, A., Watters, C.: Building Trust for E-Commerce: Collaborating Label Bureaus. In Kou, W., Yesha, Y., Tan, C.J., eds.: Proceedings of the 2nd International Symposium on Electronic Commerce Technologies (ISEC’2001). LNCS 2040, Hong Kong, Springer-Verlag (2001) 42–56

    Google Scholar 

  25. Resnick, P., Zeckhauser, R., Friedman, E., Kuwabara, K.: Reputation Systems: Facilitating Trust in Internet Interactions. Communications of the ACM 43 (2000) 45–48

    Article  Google Scholar 

  26. eBay Inc.: Feedback Forum. Available via WWW: pages.ebay.com/services/forum/feedback.html (2002)

    Google Scholar 

  27. Milosevic, Z., Jøsang, A., Dimitrakos, T., Patton, M.A.: Discretionary Enforcement of Electronic Contracts. In: Proceedings of the 6th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2002), Lausanne (2002) 39–50

    Google Scholar 

  28. Dellarocas, C.: Immunizing Online Reputation Reporting Systems Against Unfair Ratings and Discriminatory Behavior. In: Proceedings of the 2nd ACM Conference on Electronic Commerce (EC’00), ACM Press (2000) 150–157

    Google Scholar 

  29. Jøsang, A.: An Algebra for Assessing Trust in Certification Chains. In Kochmar, J., ed.: Proceedings of the Network and Distributed Systems Security Symposium (NDSS’99), The Internet Society (1999)

    Google Scholar 

  30. Jøsang, A.: A Logic for Uncertain Probabilities. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 9 (2001) 279–311

    MATH  MathSciNet  Google Scholar 

  31. Jøsang, A., Knapskog, S.J.: A metric for trusted systems. In: Proceedings of the 21st National Security Conference, NSA (1998)

    Google Scholar 

  32. Mallek, A.: Sicherheit komponentenstrukturierter verteilter Systeme: Vertrauensabhängige Komponentenüberwachung. Diplomarbeit, Universität Dortmund, Informatik IV, D-44221 Dortmund (2000)

    Google Scholar 

  33. Voas, J.: A Recipe for Certifying High Assurance Software. In: Proceedings of the 22nd International Computer Software and Application Conference (COMPSAC’98), Vienna, IEEE Computer Society Press (1998)

    Google Scholar 

  34. Sun Microsystems Palo Alto: Java Remote Method Invocation — Distributed Computing for Java. Available via WWW: java.sun.com/marketing/collateral/javarmi.html (1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Dortmund, 44221, Dortmund, Germany

    Peter Herrmann

Authors
  1. Peter Herrmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer and Information Sciences Livingstone Tower, University of Strathclyde, 26 Richmond Street, Glasgow, G1 1XH, UK

    Paddy Nixon  & Sotirios Terzis  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Herrmann, P. (2003). Trust-Based Protection of Software Component Users and Designers. In: Nixon, P., Terzis, S. (eds) Trust Management. iTrust 2003. Lecture Notes in Computer Science, vol 2692. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44875-6_6

Download citation

  • DOI: https://doi.org/10.1007/3-540-44875-6_6

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40224-4

  • Online ISBN: 978-3-540-44875-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation