article

Towards a unifying view on security contracts

Authors:

Frank Piessens,

Wouter JoosenAuthors Info & Claims

ACM SIGSOFT Software Engineering Notes, Volume 30, Issue 4

Pages 1 - 7

https://doi.org/10.1145/1082983.1083204

Published: 15 May 2005 Publication History

Abstract

A key property of software component technology is predictability, which means that the properties of an overall system can be deduced from the properties of the individual components. One of the crucial building blocks in component technology is the notion of component contract. In order to leverage predictability for the construction of secure systems, security requirements and properties must be adequately supported by component contracts, which is currently a challenging and open problem. This paper provides an overview of the problem domain by presenting an initial taxonomy of security contracts and their representative security properties.

References

[1]

Common Criteria for Information Technology Security Evaluation, Version 2.1, August 1999.

[2]

M. Aksit, K. Wakita, J. Bosch, L. Bergmans, and A. Yonezawa. Abstracting Object Interactions Using Composition Filters. In R. Guerraoui, O. Nierstrasz, and M. Riveill, editors, Proceedings of the ECOOP'93 Workshop on Object-Based Distributed Programming, volume 791, pages 152--184. Springer-Verlag, 1994.

Digital Library

[3]

F. Bachmann, L. Bass, C. Buhman, S. Comella-Dorda, F. Long, J. Robert, R. Seacord, and K. Wallnau. Technical concepts of component-based software engineering - volume ii. Technical Report CMU/SEI-2000-TR-008, Carnegie Mellon, Software Engineering Institute, Pittsburgh, PA 15213--3890, May 2000.

[4]

A. Beugnard, J.-M. Jézéquel, N. Plouzeau, and D. Watkins. Making components contract aware. IEEE Computer, 32:38--45, July 1999.

Digital Library

[5]

K. Brown. Programming Windows Security. Developmentor series. Addison-Wesley, 1st edition, July 2000.

Digital Library

[6]

B. De Win. Engineering application-level security through aspect-oriented software development. Phd, Department of Computer Science, K. U. Leuven, Leuven, Belgium, Mar. 2004. 206+xiv pages.

[7]

R. DeLine and M. Fändrich. Typestates for objects. In M. Odersky, editor, Proceedings of the 18th European Conference on Object Oriented Technology (ECOOP), volume 3086 of Lecture Notes in Computer Science. Springer Verlag, Nobember 2004.

[8]

L. G. a. DeMichiel. Enterprise JavaBeans Specification Version 2.1. http://java.sun.com/products/ejb/docs.html, June 2003.

[9]

E. Franz and C. Pohl. Towards unified treatment of security and other non-functional properties. Report of the AOSD2004 workshop on AOSD Technology for Application-level Security (AOSDSEC), CW387, pages 11--16, to appear.

[10]

S. Göbel, C. Pohl, S. Röttger, and S. Zschaler. The comquad component model: enabling dynamic selection of implementations by weaving non-functional aspects. In AOSD '04: Proceedings of the 3rd international conference on Aspect-oriented software development, pages 74--82. ACM Press, 2004.

Digital Library

[11]

H. Jonkers. Interface-centric architecture descriptions. IEEE Computer Society, August 2001.

Digital Library

[12]

K. Khan and J. Han. Composing security-aware software. IEEE Software, 19(1):34--41, January/February 2002.

Digital Library

[13]

B. W. Lampson. Computer security in the real world. Presented at the Annual Computer Security Applications Conference (ACSAC), 2000.

Digital Library

[14]

G. C. Necula. Proof-carrying code. In Conference Record of POPL '97: The 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 106--119, Paris, France, jan 1997.

Digital Library

[15]

M. Peterson. Caesar: A proposed method for evaluating security in component-based distributed information systems. Master's thesis, Linköping University, 2004.

[16]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, January 2003.

Digital Library

[17]

R. Sandhu. Lattice-Based Access Control Models. IEEE Computer, 26(11):9--19, November 1993.

Digital Library

[18]

J. Smans, B. Jacobs, and F. Piessens. Static verification of code access security policy compliance of .net applications. Submitted to the 3rd International Conference on .NET Technologies, 2005.

[19]

The Object Management Group (OMG). Corba components - version 3.0. formal/02-06-65, June 2002.

[20]

The Object Management Group (OMG). Corbaservices: Security service specification, version 1.8. formal/02-03-11, March 2002.

[21]

T. Verhanneman, F. Piessens, B. De Win, and W. Joosen. View connectors for the integration of domain specific access control. Report of the AOSD2004 workshop on AOSD Technology for Application-level Security (AOSDSEC), CW387, pages 42--48, to appear.

[22]

A. Zakinthinos and E. S. Lee. A general theory of security properties. In SP '97: Proceedings of the 1997 IEEE Symposium on Security and Privacy, page 94. IEEE Computer Society, 1997.

Digital Library

Cited By

Ghindici DSimplot-Ryl I(2008)On Practical Information Flow Policies for Java-Enabled Multiapplication Smart CardsProceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications10.1007/978-3-540-85893-5_3(32-47)Online publication date: 8-Sep-2008
https://dl.acm.org/doi/10.1007/978-3-540-85893-5_3
Crespo BPiñuela ASoria-Rodriguez PSerrano DMaña A(2009)Pattern Driven Selection and Configuration of S&D Mechanisms at RuntimeSecurity and Dependability for Ambient Intelligence10.1007/978-0-387-88775-3_12(199-212)Online publication date: 31-Mar-2009
https://doi.org/10.1007/978-0-387-88775-3_12

Index Terms

Towards a unifying view on security contracts
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Towards a unifying view on security contracts
SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications

A key property of software component technology is predictability, which means that the properties of an overall system can be deduced from the properties of the individual components. One of the crucial building blocks in component technology is the ...
Security-aware software development life cycle (SaSDLC): processes and tools
WOCN'09: Proceedings of the Sixth international conference on Wireless and Optical Communications Networks

Today an application is secured using invitro perimeter security. This is the reason for security being considered as nonfunctional requirement in Software Development Life Cycle (SDLC). In Next Generation Internet (NGI), where all applications will be ...
Threat and Risk-Driven Security Requirements Engineering

In this paper, the author aim to present a threat and risk-driven methodology to security requirements engineering. The chosen approach has a strong focus on gathering, modeling, and analyzing the environment in which a secure ICT-system to be built is ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGSOFT Software Engineering Notes

ACM SIGSOFT Software Engineering Notes Volume 30, Issue 4

July 2005

1514 pages

ISSN:0163-5948

DOI:10.1145/1082983

Issue’s Table of Contents

SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
May 2005
112 pages
ISBN:1595931147
DOI:10.1145/1083200

Copyright © 2005 Copyright is held by the owner/author(s).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2005

Published in SIGSOFT Volume 30, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
481
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ghindici DSimplot-Ryl I(2008)On Practical Information Flow Policies for Java-Enabled Multiapplication Smart CardsProceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications10.1007/978-3-540-85893-5_3(32-47)Online publication date: 8-Sep-2008
https://dl.acm.org/doi/10.1007/978-3-540-85893-5_3
Crespo BPiñuela ASoria-Rodriguez PSerrano DMaña A(2009)Pattern Driven Selection and Configuration of S&D Mechanisms at RuntimeSecurity and Dependability for Ambient Intelligence10.1007/978-0-387-88775-3_12(199-212)Online publication date: 31-Mar-2009
https://doi.org/10.1007/978-0-387-88775-3_12

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents