Trust-adapted enforcement of security policies in distributed component-structured applications

Abstract

Software component technology on the one hand supports the cost-effective development of specialized applications. On the other hand, however, it introduces special security problems. Some major problems can be solved by the automated run-time enforcement of security policies. Each component is controlled by a wrapper which monitors the component's behavior and checks its compliance with the security behavior constraints of the component's employment contract. Since control functions and wrappers can cause substantial overhead, we introduce trust-adapted control functions where the intensity of monitoring and behavior checks depends on the level of trust, the component, its hosting environment, and its vendor have currently in the eyes of the application administration. We report on wrappers and a trust information service, shortly outline the embedding security model and architecture, and describe a Java Bean based experimental implementation.