Software component technology on the one hand supports the cost-effective development of specialized applications. On the other hand, however, it introduces special security problems. Some major problems can be solved by the automated run-time enforcement of security policies. Each component is controlled by a wrapper which monitors the component's behavior and checks its compliance with the security behavior constraints of the component's employment contract. Since control functions and wrappers can cause substantial overhead, we introduce trust-adapted control functions where the intensity of monitoring and behavior checks depends on the level of trust, the component, its hosting environment, and its vendor have currently in the eyes of the application administration. We report on wrappers and a trust information service, shortly outline the embedding security model and architecture, and describe a Java Bean based experimental implementation. Key Words: software components, wrappers, trust management, security policy enforcement, trust information service. 1.

Transposing the notion of software frameworks to the abstraction level of formal specifications and verifications, we developed a framework supporting the formal hazard analysis of chemical plants. It provides generic specification modules for the description of safety properties, specifica-tion modules for the description of plant models, and theo-rems stating that certain subsystem structures of the plant model imply certain safety properties. Using the framework for hazard analysis, one firstly describes the plant and its control equipment as a composition of framework module instances. Secondly, one expresses the different safety prop-erties of interest by parameterized framework modules. Fi-nally, a safety property is proven when an appropriate the-orem instance of the framework can be found. Thus, the framework facilitates the formal modeling. Moreover, the efforts for formal verifications are reduced drastically since framework theorem instances can replace explicit proofs. The framework utilizes modular temporal logic spec-ifications supported by the specification language cTLA which is a variant of Lamport’s temporal logic of actions TLA and in particular is devoted to the compositional de-scription of process systems. 1

Abstract. Component-structured software, which is coupled from independently developed software components, introduces new security problems. In particular, a component may attack components of its environment and, in consequence, spoil the application incorporating it. Therefore, to guard a system, we constrain the behavior of a component by ruling out the transmission of events between components which may cause harm. Security policies describing the behavior constraints are formally specified and, at runtime, so-called security wrappers monitor the interface traffic of components and check it for compliance with the specifications. Moreover, one can also use the specifications to prove formally that the combinations of the component security policies fulfill certain security properties of the complete component-structured application. A well-known method to express system security properties is access control which can be modelled by means of the popular Role Based Access Control (RBAC) method. Below, we will introduce a specification framework facilitating the formal proof that component security policy specifications fulfill RBAC-based application access control policies. The specification framework is based on the specification technique cTLA. The design of state-based security policy specifications and of RBAC-models is supported by framework libraries of specification patterns which may be instantiated and composed to a specification. Moreover, the framework contains already proven theorems facilitating the formal reasoning since a deduction proof can be reduced to proof steps which correspond directly to the theorems. In particular, we introduce the specification framework and clarify its application by means of an e-commerce example. 1

Abstract Software component technology supports the cost-effective development of e-commerce applications but also introduces special security problems. In particular, a malicious component is a threat to any application incorporating it. Therefore wrappers are of interest which control the behavior of components at run-time and enforce the application’s security policies. The wrapper of a component monitors the component behavior at its interfaces and checks its compliance with the security behavior constraints of the component’s employment contract. We propose state-based security policy definitions, report on their suitable design, and clarify their employment by means of a component-structured e-procurement application.

Abstract. Formal description techniques, verification methods, and their tool-based automated application meanwhile provide valuable support for the formal analysis of communication protocol designs. Nevertheless the practical analysis of modern protocols still requires relatively great efforts and therefore many protocol developments do not employ formal methods. In that context the transfer protocol framework aims to complementary support. It supplies a rich collection of specification modules and guides their efficient composition to service and protocol specifications. Moreover the functional relations between service properties and implementing protocol mechanisms have been investigated systematically. The framework provides a collection of corresponding theorems to be applied to protocol correctness proofs. In result protocol verification can be reduced to the selection, instantiation, and proper arrangement of framework theorems. The verification process can further be supported by special tool-assistance. The tool COAST identifies the compositional structure of a protocol specification mechanically and selects according framework theorems. It splits service property proofs into arrangements of subproofs where the subproofs can mainly be accomplished by application of the selected framework theorems. After outlining the general transfer protocol framework approach we concentrate on the introduction of the tool COAST. We describe its functions and clarify its application by means of the verification of the complex real-life high-speed data transfer protocol XTP.

this paper were developed

This report describes the formal specification language cTLA in its 2003 version which can be translated into the language PROMELA of the well-known automated verification tool SPIN. The report describes the semantical background, the semantics, and the syntax of cTLA. cTLA is based on Leslie Lamport's Temporal Logic of Actions. In contrary to Lamport's TLA+-syntax, cTLA supports a modular process-oriented specification style and has a programming language like look. 1 State Transition Systems and Temporal Logic of Actions A state transition system can be used to model an event-discrete dynamic system which starts in an initial state and thereafter performs a sequence of state transitions. The system stays in its present state until a transition occurs which atomically changes the state into a successor state, where again the system stays until the next transition occurs. A state transition system STS ::= 0 , T > is defined by: S a set of states, S 0 the set of initial states, S 0 # S, T the set of transitions, T # S S. Let Sys be an STS. The set of state sequences SQ Sys of Sys is defined by: SQ Sys ::= { sq :sq # S # # sq = 0 , s 1 , s 2 , s 3 , s 4 , ...> # s 0 # S 0 # Forall i # IN : [ i , s i+1 > # T s i = s i+1 ] } Moreover, the set of reachable states SR Sys of Sys is defined by: SR Sys ::= { s : s # S # Exists sq # SQ Sys , i # IN : [ sq = 0 , s 1 , s 2 , s 3 , s 4 , ...> # s = s i ] } Note that state sequences have infinite length, and that stuttering steps (where s i = s i+1 holds) are possible. Finite transition sequences (where a system terminates after a finite number of transitions) can be modeled by infinite state sequences under the assumption that a system performs an infinite sequence of stuttering steps after its termination. The tempor...

Since many security incidents of networked computing infrastructures arise from inadequate technical management actions, we aim at a method supporting the formal analysis of those implications which administration activities may have towards system security. We apply the specification language cTLA which supports the modular description of process systems and facilitates the construction of a modeling framework. The framework defines a generic modeling structure and provides re-usable model elements. Due to cTLA's connection to the temporal logic of actions TLA, formal analysis can resort to symbolic reasoning. Supplementarily, automated analysis can be applied. We focus here on automated analysis. It is supported by translation of cTLA specifications into suitable model descriptions for the powerful model checking tool SPIN. We outline the utilized methods and tools, and report on the modeling and SPIN-based analysis of IP-Hijacking.

A fundamental problem in the area of service engineering is the so-called cross-cutting nature of services, i.e., that service behavior results from a collaboration of partial component behaviors. We present an approach for model-based service engineering, where system component models are derived automatically from collaboration models. These are specifications of sub-services incorporating both the local behavior of the components and the necessary inter-component communication. The collaborations are expressed by UML collaborations and activities in a compact and self-contained way. The UML activities are also well-suited to express service compositions precisely, so that components may be derived automatically by means of a model transformation. In this paper, we focus on the important issue on how to coordinate and compose collaborations that are executed with several sessions at the same time. We introduce an extension to activities for session selection. Moreover, we explain how this composition is mapped onto the components and how it can be translated into executable code.

We describe the application of our collaboration-oriented software engineering approach for the design of trust-aware systems. In this model-based technique, a specification does not describe a physical system component but the collaboration between various components which achieve system functions by cooperation. A system model is composed from these collaboration specifications and, by a set of transformations, executable code can be automatically generated. As a modeling language, we use UML 2.0 collaborations and activities, for which we defined a semantics based on temporal logic. Thus, formal refinement and property proofs can be provided by applying model checkers as well. We consider our approach as well-suited for the development of trust-based systems since the trust relations between different parties can be nicely modeled by the collaborations. This ability facilitates also a tight cooperation between trust management and software engineering experts which are both needed to create scalable trust-aware applications. The engineering approach is introduced by means of an electronic auction system executing different policies which are guided by the mutual trust of its principals. As a trust model we apply Jøsang’s Subjective Logic.