Secure Self-Certified COTS

نویسندگان

  • Mourad Debbabi
  • E. Giasson
  • Béchir Ktari
  • Frédéric Michaud
  • Nadia Tawbi
چکیده

With the advent and the rising popularity of networks, Internet, intranets and distributed systems, security is becoming one of the major concerns in IT research. An increasing number of approaches have been proposed to ensure the safety and security of programs. Among those approaches, certified code seems to be the most promising. Unfortunately, as of today, most of the research on certified code have focused on simple type safety and memory safety, rather than security issues. We therefore propose to extend this approach to the security aspects of a program. Our intention is to use such an approach as an efficient and realistic solution to the problem of malicious code detection in COTS. In this paper, we present our progress in defining and implementing a certifying compiler that produces a secure self-certified code that can be used to ensure both safety and security of the code. 1. Motivation and Background Nowadays, there are many information infrastructures based on the so-called Commercial Off-The-Shelf (COTS) components. Actually, many organizations are undergoing a remarkable move from legacy systems towards COTSbased systems. The main motivation underlying such a migration is to take advantage of cutting-edge technologies and also to lower the program life-cycle costs of computer systems. Nevertheless, this migration phenomenon poses major and yet very interesting challenges to the currently established computer system technologies in terms of security, reliability, integration, interoperability, maintenance, planning, etc. This research is funded by a research contract from the Defense Research Establishment, Valcartier, DREV, Quebec, Canada. In our current research, we are concerned with malicious code that could exist in COTS software products. In a preliminary study of the domain [2], we considered different approaches suitable to address this problem. Among those approaches, certified code seems to be the most promising. Given a certified program provided by an untrusted source, a host can determine with certainty that this program may be safely executed. Unfortunately, as of today, most of the research on certified code have focused on simple type safety and memory safety, rather than security issues. We therefore propose to extend this approach to the security aspects of a program. In this paper, we present our progress in defining and implementing a certifying compiler that produces a secure self-certified code that can be used to ensure both the safety and security of the code. We used LCC [3], a C compiler, as the starting point for our certifying compiler to which we added a type system based on TALx86 [5]. The rest of the paper is organized as follows. Section 2 presents the certified code approach, which guarantees that COTS components may be safely executed. Section 3 focuses on the code generation process that produces annotated assembly code. Section 4 follows with the verification process, which aims at formally certifying that the generated annotated code satisfies well defined safety properties. Section 5 proposes an extension to both the generation and verification processes to include security properties. Section 6 presents related work. Finally, a few concluding remarks and a discussion of future research are ultimately sketched as a conclusion in Section 7.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Tag - KEM for Self - certified Ring Signcryption ?

Signcryption tag-KEM (key encapsulation mechanism with tag) allows the sender to encapsulate a symmetric key along with a tag so that the receiver can authenticate the sender, the key and the tag. In this paper, we introduce the notion of signcryption tag-KEM to the self-certified setting and ring signcryption, and construct a tag-KEM for self-certified ring signcryption, which only takes one p...

متن کامل

Efficient Cots Selection with Opal Tool

This paper presents a COTS selection methodology and its supporting tool OPAL that are to be used by certified IT consultants in Luxembourg, when they help SMEs evaluate COTS components. It highlights the benefits of the methodology and the efficiency gained by reusing SRS templates.

متن کامل

New Efficient Proxy Blind Signature Scheme Using Verifiable Self-certified Public Key

Proxy blind signature, which combines the properties of both proxy signature and blind signature, is useful in e-cash and e-commerce. In this paper, we present a verifiable self-certified public key scheme and a proxy blind signature scheme using the verifiable self-certified public key. The self-certified public key has an advantage which can withstand public key substitution attacks. As far a...

متن کامل

Towards an Approach for Security Risk Analysis in COTS Based Development

More and more companies tend to use secure products as COTS to develop their secure systems due to resource limitations. The security concerns add more complexity as well as potential risks to COTS selection process, and it is always a great challenge for developers to make the selection decisions. In this paper, we provide a method for security risk analysis in COTS based development (CBD) bas...

متن کامل

Assessment of Safety Critical Systems with Cots Software and Software of Uncertain Pedigree (soup)

Missionand safety critical system designers are more and more forced to use a Commercial-Off-The-Shelf (COTS) approach due to more focus on cost and development times, even if COTS components normally are not specifically designed and developed for robust operation. Many safety critical systems have to be assessed or certified by independent organisations. This paper addresses the challenges as...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2000