Abstract
The preservation of any security property for the composition of components in software engineering is typically regarded a non-trivial issue. Amongst the different possible properties, confidentiality however poses the most challenging one. The naive approach of assuming that confidentiality of a composition is satisfied if it is provided by the individual components may lead to insecure systems as specific aspects of one component may have undesired effects on others. In this paper we investigate the composition of components that each on its own provide confidentiality of their data. We carve out that the complete behaviour between components needs to be considered, rather than focussing only on the single interaction points or the set of actions containing the confidential data. Our formal investigation reveals different possibilities for testing of correct compositions of components, for the coordinated distributed creation of composable components, and for the design of generally composable interfaces, ensuring the confidentiality of the composition.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Heise News: Neuer Personalausweis: AusweisApp mit Lücken. heise.de (2010)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)
Anderson, R.: Security Engineering: A guide to building dependable distributed systems. Wiley, Chichester (2010)
SERENITY Consortium: Serenity (2006), http://www.serenity-project.org
TERESA Consortium: Trusted computing Engineering for Resource constrained Embedded Systems Applications (2009), http://www.teresa-project.org/
SecFutur Consortium: SecFutur (2010), http://www.secfutur.eu/
Gürgens, S., Ochsenschläger, P., Rudolph, C.: On a formal framework for security properties. In: International Computer Standards & Interface Journal (CSI), Special issue on formal methods, techniques and tools for secure and reliable applications 27(5) (), June 2005, pp. 457–466 (2005)
Gürgens, S., Ochsenschläger, P., Rudolph, C.: Parameter confidentiality. In: Informatik 2003 - Teiltagung Sicherheit, Gesellschaft für Informatik (2003)
Gürgens, S., Ochsenschläger, P., Rudolph, C.: Abstractions preserving parameter confidentiality. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 418–437. Springer, Heidelberg (2005)
Kerrisk, M.: LCE: Don’t play dice with random numbers. LWN.net (2012)
Corbet, J.: Random numbers for embedded devices. LWN.net (2012)
Fuchs, A., Gürgens, S., Rudolph, C.: A Formal Notion of Trust – Enabling Reasoning about Security Properties. In: Proceedings of Fourth IFIP WG 11.1 International Conference on Trust Management (2010)
Fuchs, A., Gürgens, S., Rudolph, C.: Formal Notions of Trust and Confidentiality - Enabling Reasoning about System Security. Journal of Information Processing 19, 274–291 (2011)
Tout, H.: e.a.: Towards a bpel model-driven approach for web services security. In: International Conference on Privacy, Security and Trust, PST’12 (2012)
Sun, S., Zhao, J.: A decomposition-based approach for service composition with global qos guarantees. In: Journal of Information Sciences (2012)
Sora, L.: Automatic composition of systems from cponents with anonymous dependencies specified by semantic-unaware properties. In: Technology of object-oriented languages, systems and architecture (2003)
Zhang, L., Wu, J.: Research on trustworthy software composition architecture. In: International Conference on Consumer Electronics, Communications and Networks (2012)
Rossi, S.: Model checking adaptive multilevel service compositions. In: International Workshop of Formal Aspects of Component Software (2010)
Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13(1), 143–202 (2000)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: focs, Published by the IEEE Computer Society, 136 (2001)
Canetti, R., Herzog, J.: Universally composable symbolic analysis of mutual authentication and key-exchange protocols. In: Theory of Cryptography, pp. 380–403 (2006)
Pino, L., Spanoudakis, G.: Constructing secure service compositions with patterns. In: IEEE Eighth World Congress on Services (SERVICES), pp. 184–191. IEEE, Los Alamitos (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fuchs, A., Gürgens, S. (2013). Preserving Confidentiality in Component Compositions. In: Binder, W., Bodden, E., Löwe, W. (eds) Software Composition. SC 2013. Lecture Notes in Computer Science, vol 8088. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39614-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-39614-4_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39613-7
Online ISBN: 978-3-642-39614-4
eBook Packages: Computer ScienceComputer Science (R0)