Abstract
Software component technology supports the cost-effective development of e-commerce applications but also introduces special security problems. In particular, a malicious component is a threat to any application incorporating it. Therefore wrappers are of interest which control the behavior of components at run-time and enforce the application’s security policies. The wrapper of a component monitors the component behavior at its interfaces and checks its compliance with the security behavior constraints of the component’s employment contract. We propose state-based security policy definitions, report on their suitable design, and clarify their employment by means of a component-structured e-procurement application.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35617-4_48
Chapter PDF
Similar content being viewed by others
References
Avolio, F. M. and Ranum, M. J. (1994). A Network Perimeter with Secure External Access. In Proceedings of the Internet Society Symposium on Network and Distributed System Security,Glenwood.
Bershad, B., Savage, S., Pardyak, P., Sirer, E. G., Becker, D., Fiuczynski, M., Chambers, C., and Eggers, S. (1995). Extensibility, safety, and performance in the SPIN operating system. In Proceedings of the 15th Symposium on Operating System Principles,pages 267–284. ACM.
Beugnard, A., Jézéquel, J.-M., Plouzeau, N., and Watkins, D. (1999). Making Components Contract Aware. IEEE Computer, 32 (7): 38–45.
Biskup, J. and Eckert, C. (1994). About the enforcement of state dependent security specifications. In Keefe, T. and Landwehr, C., editors, Database Security,pages 3–17. Elsevier Science (NorthHolland).
cXML (2001). cXML User’s Guide. cXML.org, 1.2.006 edition.
DISA (2001). X12 Standard. Data Interchange Standards Association, release 4050 edition.
Ferrari, E., Samarati, P., Benin, E., and Jajodia, S. (1997). Providing flexibility in information flow control for object-oriented systems. In Proceedings of the IEEE Symposium on Securityand Privacy,pages 130–140, Oakland.
Fraser, T., Badger, L., and Feldman, M. (1999). Hardening COTS Software with Generic Software Wrappers. In Proceedings of the 1999 IEEE Symposium on Security and Privacy.
Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. (1996). A Secure Environment for Un-trusted Helper Applications. In Proceedings of the 6th USENIX Security Symposium.
Herrmann, P. (2001). Trust-Based Procurement Support for Software Components. In Proceedings of the 4th International Conference on Electronic Commerce Research (ICECR-4), pages 505–514, Dallas. ATSMA, IFIP.
Herrmann, P. and Krumm, H. (2000a). A Framework for Modeling Transfer Protocols. Computer Networks, 34 (2): 317–337.
Herrmann, P. and Krumm, H. (2000b). A Framework for the Hazard Analysis of Chemical Plants. In Proceedings of the 11th IEEE International Symposium on Computer-Aided Control System Design (CACSD2000), pages 35–41, Anchorage. IEEE CSS, Omnipress.
Herrmann, P. and Krumm, H. (2001). Trust-adapted enforcement of security policies in distributed component-structured applications. In Proceedings of the 6th IEEE Symposium on Computers and Communications, pages 2–8, Hammamet. IEEE Computer Society Press.
J¢sang, A. and Knapskog, S. J. (1998). A metric for trusted systems. In Proceedings of the 21st National Security Conference. NSA.
Khan, K., Han, J., and Zheng, Y. (2001). A Framework for an Active Interface to Characterise Compositional Security Contracts of Software Components. In Proceedings of the Australian Software Engineering Conference (ASWEC’01), pages 117–126, Canberra. IEEE Computer Society Press.
Kozen, D. (1998). Efficient code certification. Technical Report 98–1661, Computer Science Department, Cornell University.
Kozen, D. (1999). Language-Based Security. In Kutylowski, M., Pacholski, L., and Wierzbicki, T., editors, Proceedings of the Conference on Mathematical Foundations of Computer Science (MFCS’99),Lecture Notes in Computer Science 1672, pages 284–298. Springer-Verlag.
Mallek, A. (2000). Sicherheit komponentenstrukturierter verteilter Systeme: Vertrauensabhängige Komponentenüberwachung (in German). Diploma Thesis, Universität Dortmund, Informatik IV, D-44221 Dortmund.
Monroe, M. A. (1993). Security Tool Review: TCP Wrappers.;login:, 18(6):15–16.
Morrisett, G., Walker, D., Crary, K., and Glew, N. (1998). From System F to typed assembly language. In Proceedings of the 25th ACM SIGPLAN/SIGACT Symposium on Principles ofProgramming Languages,pages 85–97, San Diego.
Myers, A. C. and Liskov, B. (1998). Complete, Safe Information with Decentralized Labels. In Proceedings of the IEEE Symposium on Security and Privacy,pages 186–197, Oakland.
Necula, G. C. (1998). Compiling with proofs. PhD thesis, Carnegie Mellon University.
OBI (1999). OBI Technical Specifications — Open Buying on the Internet. OBI Consortium, draft release v2.1 edition.
Schmitz, L. (1999). The SalesPoint Framework — Technical Overview.http://www.ist.unibwmuenchen.de/Lectures/SalesPoint/overview/english/TechDoc.htm.
Schneider, E. B. (1997). Towards fault-tolerant and secure agentry. In Proceedings of the 11th International Workshop on Distributed Algorithms (WDAG ‘87), Lecture Notes in Computer Science 1320, pages 1–14. ACM SIGPLAN, Springer-Verlag.
Szyperski, C. (1997). Component Software — Beyond Object Oriented Programming. Addison-Wesley Longman.
Tarditi, D., Morrisett, G., Cheng, P., Stone, C., Harper, R., and Lee, P. (1996). TIL: A type-directed optimizing compiler for ML. In Proceedings of the Conference on Programming Language Design and Implementation. ACM SIGPLAN.
Vissers, C. A., Scollo, G., and van Sinderen, M. (1988). Architecture and specification style in formal descriptions of distributed systems. In Agarwal, S. and Sabnani, K., editors, Protocol Specification, Testing and Verification, volume VIII, pages 189–204, Elsevier. IFIP.
Wabbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. (1993). Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating System Principles,pages 203–216. ACM.
Zöllner, J., Federrath, H., Klimant, H., Pfitzmann, A., Piotraschke, R., Westfeld, A., Wicke, G., and Wolf, G. (1998). Modeling the security of steganographic systems. In Proceedings of the 2nd Workshop of Information Hiding, LNCS 1525, pages 345–355, Portland. Springer-Verlag.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Herrmann, P., Wiebusch, L., Krumm, H. (2003). State-Based Security Policy Enforcement in Component-Based E-Commerce Applications. In: Monteiro, J.L., Swatman, P.M.C., Tavares, L.V. (eds) Towards the Knowledge Society. IFIP — The International Federation for Information Processing, vol 105. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35617-4_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-35617-4_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6861-9
Online ISBN: 978-0-387-35617-4
eBook Packages: Springer Book Archive