This paper summarizes a new program funded under NIST's Advanced Technology Program (ATP) in Component-Based Software to certify software components used in electronic commerce systems. The growth of Internet-based electronic commerce, with its potential to create new business markets and streamline corporate operations, has been hindered during the past two years by concerns about the security of the software involved. The approach outlined in this paper develops a certification process for testing software components for security that will be used in electronic commerce applications. The anticipated results from this research is a process and set of core white-box and black-box testing technologies to certify the security of software components. The manifestation of the product is a stamp of approval in the form of a digital signature. The project will initially focus on certifying the security of components written in Java, the computing language used by many software developers to create e-commerce systems.
The idea of electronic commerce---using the Internet and the Web for commercial purposes---is taking hold in both corporate board rooms and American homes. Component-based technologies designed for distributed networks, including the Internet, make widespread e-commerce possible and thus have the potential to expand business markets considerably. But all is not perfect.
Despite the great potential to connect businesses, merchants, and consumers anywhere at anytime, affordably and easily, the dangers of e-commerce loom large. When the commodity is information (whether business data or monetary data), information security is essential. Java and ActiveX have had their share of well-publicized security problems. If these component paradigms are to be adopted for e-commerce use, their security implications must be carefully scrutinized. Until the security issues of software-component based commerce are adequately addressed, electronic commerce will not reach critical mass.
The e-commerce systems of today are composed of a number of components including: a commerce server, data transaction protocols, and client software from which transactions originate. While most of the attention in e-commerce security has been focused on encryption technology and protocols for securing the data transaction, it is critical to note that a weakness in any one of the components that comprise an e-commerce system may result in a security breach. For example, a flaw in the Web server software may allow a criminal access to the complete transaction records of an online bank without forcing the criminal to break any ciphertext at all. Similarly, vulnerabilities in security models for mobile code may allow insecure behavior to originate from client-side software interaction.
Consider the security flaw in the interaction of Intuit's Quicken online banking software and a Microsoft ActiveX control. The Chaos Computer Club in Germany was able to create an unsigned hostile ActiveX control and place it on a Web page. The control begins to run when an unsuspecting user surfs to the page. If the control finds Quicken, it issues a transfer order and adds it to the application's batch of existing transfer orders. The next time the Quicken (and Web) user pays bills, the illicit transfer gets included, probably unnoticed by the victim. Since Quicken reportedly has over nine million users worldwide, this is a serious problem.
We are developing a set of core technologies to assess the security of software components intended for use in e-commerce systems. We are focusing our technology on a component-based software paradigm partially to endorse the technology and to stimulate its growth, but also because it is clearly the software-development paradigm of the future. Component-based software addresses important large-scale re-use issues faced by all software developers. Large-scale growth of electronic commerce will not happen if individual software solutions must be reinvented at each and every merchant site. It is much easier to use pre-fabricated wheels than to re-invent them time and time again. The time and expertise required to develop e-commerce sites from scratch will be well beyond what the typical merchant will be able to afford. Proprietary solutions built for each merchant are not only expensive, but also counter-productive to establishing interoperability between different vendors, merchants, consumers, and trusted third parties.
The infancy of e-commerce can be likened to the pre-industrial era in the United States. Before parts became standardized, master craftsmen would custom design and build each hammer, each saw, each chair, each wheel, and at a larger scale, each bridge. The industrial era made possible the standardization of parts. Thus a bike manufacturer could reliably build a bike from standard bolts, wheels, seats, and handlebars. Without standardization, bolts would not fit in their sockets, seats would not fit snugly, and wheels on different bikes would even be differently sized. Today, there are myriad protocols for e-commerce transactions: SSL, PCT, SET, S-HTTP, S/MIME, Cybercash, and Digicash, among others. Unfortunately, most of these protocols are not interoperable, and consumers must choose one protocol over another. If a merchant is not a subscriber to Cybercash, then a Cybercash consumer will not be able to purchase wares from the merchant. Similarly, if a consumer does not have a browser client that supports S-HTTP, then the consumer will not be able to engage in a secure transaction with a merchant that uses S-HTTP. The market may ultimately decide the winners and losers in standardized protocols, however, the necessity for interoperable, cross-platform components will not lessen. Development of secure components for use in building commerce applications is an important step in the maturation and acceptance process. Objective and scientific security assessment is essential to this step.
One particularly promising technology for developing Internet-based commercial components is JavaBeans, a technology developed by Sun Microsystems. JavaBeans is a componentware framework for the development of Internet-ready Java applications. Java is quickly becoming the development language of choice in a number of high-visibility financial application areas. Current efforts include the Java Financial Object eXchange and work underway at Charles Schwab on-line discount brokerage. Our program will research and develop security assessment technologies that are applicable to JavaBeans. Success will provide a certification technology for component-based distributed object software systems that should have a high probability of acceptance by the financial community.
Our aim is to create a system for assessing the security of software components. We will focus on components intended for use in Internet-based e-commerce applications, though our results should be applicable to any sorts of components. There are many different component models currently touted for Internet applications. CORBA is one object framework for creating interoperable applications from different component technologies. Because of its early acceptance in the financial community, we will initially focus our attention on JavaBeans components.
Our technical approach is to develop a Component Security Certification (CSC) pipeline through which a software component can be validated for security. If the component meets minimum thresholds for security assurance, then the component will be certified and stamped with the certifying lab's digital signature. The envisioned CSC pipeline involves a combination of white-box and black-box testing processes to assess security. RST has developed advanced white-box testing processes including: code coverage, fault injection, input generation, and assertion monitoring.
The central research goal of this ATP effort is to investigate, build, and integrate techniques needed to perform security certification of software components. The research consists of the following tasks: (1) formalize a methodology for certifying component security, (2) build and integrate advanced white-box/black-box testing technologies, (3) evaluate the effectiveness of the CSC process through experimentation, (4) develop acceptable thresholds for security metrics based on benchmarking results, (5) assess the effectiveness of the developed technologies with regard to whole systems composed of components, (6) validate the approach on real-world e-commerce systems, and (7) perform technology transfer and commercialization.