Trust-Based Procurement Support for Software Components
-
Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund
-
E-Mail: Peter.Herrmann@cs.tu-dortmund.de
Abstract
Component-structured software facilitates the design of problem-specific software
solutions for a reasonable price. Due to the significant number of principals involved in the component
development and employment process, however, a new class of security problems is introduced. In particular,
a malicious component is a threat to any application incorporating it. Thus, a customer of software
components has to attach importance to security aspects. Unfortunately, often the available information
does not suffice to perform a decent procurement decision. Therefore components have to be evaluated by
means of certification and runtime monitoring. These methods, however, are
usually laborious and costly. In order to reduce the expense of evaluating components, we apply an approach
which takes the experience of other customers with a component in question into consideration. It employs the concept of
trust management enabling to calculate trust values (i.e., values describing the trust in a component) from good or bad
evaluations with it. Particularly, we introduce a trust information service collecting expertises which
component customers and certification authorities gained from certification of a component as well as
monitoring it during deployment. From these evaluations a trust value is generated and offered to
parties interested to purchase the component. Moreover, we outline an extension of a runtime monitoring
software which enables automatic generation of good or bad monitoring expertises. Likewise, the intensity of
the runtime observations about a component may be adjusted due to the current trust value of the component.
Key Words
Software component, component procurement, trust management, trust information service, runtime monitoring
Published in
To appear in Proceedings of the 4th International Conference on
Electronic Commerce Research (ICECR-4), ATSMA, IFIP,
Dallas, November 2001.
Obtaining the paper
Due to the copyright agreement between the publisher and the authors we are
not allowed to make the paper available online. If you have problems to
obtain it,
please call us.
Peter Herrmann, October 5, 2001
-- digital media copyright