Trust-Based Procurement Support for Software Components

Peter Herrmann

Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund
E-Mail: Peter.Herrmann@cs.tu-dortmund.de

Abstract

Component-structured software facilitates the design of problem-specific software solutions for a reasonable price. Due to the significant number of principals involved in the component development and employment process, however, a new class of security problems is introduced. In particular, a malicious component is a threat to any application incorporating it. Thus, a customer of software components has to attach importance to security aspects. Unfortunately, often the available information does not suffice to perform a decent procurement decision. Therefore components have to be evaluated by means of certification and runtime monitoring. These methods, however, are usually laborious and costly. In order to reduce the expense of evaluating components, we apply an approach which takes the experience of other customers with a component in question into consideration. It employs the concept of trust management enabling to calculate trust values (i.e., values describing the trust in a component) from good or bad evaluations with it. Particularly, we introduce a trust information service collecting expertises which component customers and certification authorities gained from certification of a component as well as monitoring it during deployment. From these evaluations a trust value is generated and offered to parties interested to purchase the component. Moreover, we outline an extension of a runtime monitoring software which enables automatic generation of good or bad monitoring expertises. Likewise, the intensity of the runtime observations about a component may be adjusted due to the current trust value of the component.

Key Words

Software component, component procurement, trust management, trust information service, runtime monitoring

Published in

To appear in Proceedings of the 4th International Conference on Electronic Commerce Research (ICECR-4), ATSMA, IFIP, Dallas, November 2001.

Obtaining the paper

Due to the copyright agreement between the publisher and the authors we are not allowed to make the paper available online. If you have problems to obtain it, please call us.