Skip to main content
Springer Nature Link
Log in

Security and Trust

  • Chapter
Formal Methods for Eternal Networked Software Systems (SFM 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6659))

Abstract

Security and Trust offer two different prospectives on the problem of the correct interaction among software components. For many aspects, they represent complementary viewpoints. Moreover, in the study of the verification of non-functional properties of programs they represent a mainstream. Several security aspects, e.g., access control, could be based also on trust and, vice versa, trust models could update the level of trust of a (component of a ) system according to the satisfaction of a particular security policies. According to that, here we present the Security-by-Contract-with-Trust framework, S×C×T for short. It has been developed considering a system platform that has to execute an application whose developer is unknown in such a way that security policies set on it are not violated. The S×C×T mechanism is driven by both security and trust aspects. It is based of three main concepts: the application code, the application contract, and the system security policy The level of trust we consider measures the adherence of the application code to its contract, i.e., if the code respects its contract then the application is trusted, otherwise its level of trust decreases. According to the level of trust of the application, S×C×T decides if check the contract against the policies and if the answer is positive, execute the application just monitoring its contract, or directly enforce the security policy set on the platform.

In order to better describe how the proposed mechanism works, we present its application to a mobile application marketplace scenarios. In this way we are also able to show its possible advantages in terms of performances and modularity.

Work partially supported by EU-funded project FP7-231167 Connect and by EU-funded project FP7-256980 NESSoS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Jøsang, A., Keser, C., Dimitrakos, T.: An we manage trust?, pp. 93–107 (2005)

    Google Scholar 

  2. Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL 1997), pp. 106–119 (1997)

    Google Scholar 

  3. Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. In: SOSP 2003: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 15–28 (2003)

    Google Scholar 

  4. Gong, L.: Java Security: Present and Near Future. IEEE Micro 17(3), 14–19 (1997)

    Article  Google Scholar 

  5. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3, 2000 (1998)

    MathSciNet  Google Scholar 

  6. Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4, 2–16 (2005)

    Article  Google Scholar 

  7. Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3, 125–143 (1977)

    Article  MathSciNet  MATH  Google Scholar 

  8. Rasmusson, L., Jansson, S.: Simulated social control for secure Internet commerce. In: Proceedings of the 1996 Workshop on New Security Paradigms, pp. 18–25. ACM, New York (1996)

    Chapter  Google Scholar 

  9. Fukuyama, F.: Trust: The social virtues and the creation of prosperity. Free Press, New York (1996)

    Google Scholar 

  10. Coleman, J.: Social capital in the creation of human capital. American Journal of Sociology 94(1), 95–120 (1988)

    Article  Google Scholar 

  11. Grandison, T., Sloman, M.: A survey of trust in internet applications. IEEE Communications Surveys & Tutorials 3(4), 2–16 (2009)

    Article  Google Scholar 

  12. Kautz, H., Selman, B., Shah, M.: Referral Web: combining social networks and collaborative filtering. Communications of the ACM 40(3), 63–65 (1997)

    Article  Google Scholar 

  13. Abdul-Rahman, A., Hailes, S.: A distributed trust model. In: NSPW: New Security Paradigms Workshop, pp. 48–60. ACM Press, New York (1997)

    Chapter  Google Scholar 

  14. Saadi, R., Pierson, J.M., Brunie, L.: Establishing trust beliefs based on a uniform disposition to trust. In: ACM SAC: Trust, Reputation, Evidence and other Collaboration Know-how track. ACM Press, New York (2010)

    Google Scholar 

  15. Jøsang, A., Pope, S.: Semantic constraints for trust transitivity. In: APCCM: 2nd Asia-Pacific Conference on Conceptual Modelling, pp. 59–68. Australian Computer Society, Inc., Newcastle (2005)

    Google Scholar 

  16. Nepal, S., Malik, Z., Bouguettaya, A.: Reputation Propagation in Composite Services. In: Proceedings of the 2009 IEEE International Conference on Web Services, vol. 00, pp. 295–302. IEEE Computer Society, Los Alamitos (2009)

    Chapter  Google Scholar 

  17. Paradesi, S., Doshi, P., Swaika, S.: Integrating Behavioral Trust in Web Service Compositions. In: Proceedings of the 2009 IEEE International Conference on Web Services, pp. 453–460. IEEE Computer Society, Los Alamitos (2009)

    Chapter  Google Scholar 

  18. Kim, Y., Doh, K.: Trust Type based Semantic Web Services Assessment and Selection. In: Proceedings of ICACT, pp. 2048–2053. IEEE Computer, Los Alamitos (2008)

    Google Scholar 

  19. Nurmi, P.: A bayesian framework for online reputation systems. In: International Conference on Internet and Web Applications and Services/Advanced International Conference on Telecommunications, AICT-ICIW 2006, pp. 121–121 (2006)

    Google Scholar 

  20. Xiong, L., Liu, L.: A reputation-based trust model for peer-to-peer ecommerce communities. In: 4th ACM Conference on Electronic Commerce, pp. 228–229 (2003)

    Google Scholar 

  21. Zhou, R., Hwang, K., Cai, M.: Gossiptrust for fast reputation aggregation in peer-to-peer networks. IEEE Transactions on Knowledge and Data Engineering, 1282–1295 (2008)

    Google Scholar 

  22. Song, S., Hwang, K., Zhou, R., Kwok, Y.: Trusted P2P transactions with fuzzy reputation aggregation. IEEE Internet Computing 9(6), 24–34 (2005)

    Article  Google Scholar 

  23. Zimmermann, P.R.: The official PGP user’s guide. MIT Press, Cambridge (1995)

    Google Scholar 

  24. Marsh, S.: Formalising Trust as a Computational Concept. PhD thesis, University of Stirling, Scotland (1994)

    Google Scholar 

  25. Golbeck, J., Hendler, J.: Filmtrust: Movie recommendations using trust in web-based social networks. In: CCNC: IEEE Consumer Communications and Networking Conference, Las Vegas, NV, USA, pp. 282–286. IEEE Computer Society, Los Alamitos (2006)

    Google Scholar 

  26. Theodorakopoulos, G., Baras, J.S.: Trust evaluation in ad-hoc networks. In: 3rd ACM Workshop on Wireless Security, pp. 1–10. ACM Press, New York (2004)

    Google Scholar 

  27. Quercia, D., Hailes, S., Capra, L.: TRULLO-local trust bootstrapping for ubiquitous devices. In: Proc. of IEEE Mobiquitous (2007)

    Google Scholar 

  28. Haque, M., Ahamed, S.: An omnipresent formal trust model (FTM) for pervasive computing environment. In: 31st Annual International Computer Software and Applications Conference, COMPSAC 2007, vol. 1 (2007)

    Google Scholar 

  29. Jsang, A., Ismail, R.: The beta reputation system. In: Proceedings of the 15th Bled Electronic Commerce Conference, pp. 17–19 (2002)

    Google Scholar 

  30. Rahman, A., Hailes, S.: Supporting trust in virtual communities. In: IEEE Hawaii International Conference on System Sciences, p. 6007 (2000)

    Google Scholar 

  31. Ahamed, S., Monjur, M., Islam, M.: CCTB: Context correlation for trust bootstrapping in pervasive environment. In: 2008 IET 4th International Conference on Intelligent Environments, pp. 1–8 (2008)

    Google Scholar 

  32. Mui, L., Mohtashemi, M., Ang, C., Szolovits, P., Halberstadt, A.: Ratings in distributed systems: A bayesian approach. In: Proceedings of the Workshop on Information Technologies and Systems (WITS), pp. 1–7. Citeseer (2001)

    Google Scholar 

  33. Aringhieri, R., Damiani, E., Di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Fuzzy techniques for trust and reputation management in anonymous peer-to-peer systems: Special topic section on soft approaches to information retrieval and information access on the web. JASIST: Journal of the American Society for Information Science and Technology 57(4), 528–537 (2006)

    Article  Google Scholar 

  34. Dragoni, N., Martinelli, F., Massacci, F., Mori, P., Schaefer, C., Walter, T., Vetillard, E.: Security-by-contract (SxC) for software and services of mobile systems. In: At your service - Service-Oriented Computing from an EU Perspective. MIT Press, Cambridge (2008)

    Google Scholar 

  35. Labs, T.: Ontology. S3MS CP-2006-RT-503-0.3 (2006)

    Google Scholar 

  36. Castrucci, A., Martinelli, F., Mori, P., Roperti, F.: Enhancing java ME security support with resource usage monitoring. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 256–266. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  37. Costa, G., Martinelli, F., Mori, P., Schaefer, C., Walter, T.: Runtime monitoring for next generation java me platform. Computers & Security (2009)

    Google Scholar 

  38. Desmet, L., Joosen, W., Massacci, F., Philippaerts, P., Piessens, F., Siahaan, I., Vanoverberghe, D.: Security-by-contract on the .net platform, Oxford, UK, vol. 13, pp. 25–32. Elsevier Advanced Technology Publications, Amsterdam (2008)

    Google Scholar 

  39. Milner, R.: Communicating and mobile systems: the π-calculus. Cambridge University Press, Cambridge (1999)

    MATH  Google Scholar 

  40. Greci, P., Martinelli, F., Matteucci, I.: A framework for contract-policy matching based on symbolic simulations for securing mobile device application. In: ISoLA, pp. 221–236 (2008)

    Google Scholar 

  41. Costa, G., Dragoni, N., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I.: Extending security-by-contract with quantitative trust on mobile devices. In: Proceeding of CISIS 2010, The Fourth International Conference on Complex, Intelligent and Software Intensive Systems, Krakow, Poland, pp. 872–877. IEEE Computer Society, Los Alamitos (2010)

    Chapter  Google Scholar 

  42. Costa, G., Dragoni, N., Issarny, V., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I., Saadi, R.: Extending security-by-contract with quantitative trust on mobile devices. Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications (JOWUA) 1(4), 75–91 (2011) ISSN (print): 2093-5374, ISSN (on-line): 2093-5382

    Google Scholar 

  43. Hoffman, K., Zage, D., Nita-Rotaru, C.: A survey of attack and defense techniques for reputation systems. ACM Computing Surveys (CSUR) 42(1), 1–31 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IIT CNR, Pisa, Italy

    Gabriele Costa, Fabio Martinelli & Ilaria Matteucci

  2. Università di Pisa, Italy

    Gabriele Costa

  3. INRIA, France

    Valérie Issarny & Rachid Saadi

Authors
  1. Gabriele Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Valérie Issarny
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ilaria Matteucci
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rachid Saadi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Scienze di Base e Fondamenti, Università di Urbino “Carlo Bo”, Piazza della Repubblica 13, 61029, Urbino, Italy

    Marco Bernardo

  2. INRIA Paris-Rocquencourt, France

    Valérie Issarny

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Costa, G., Issarny, V., Martinelli, F., Matteucci, I., Saadi, R. (2011). Security and Trust. In: Bernardo, M., Issarny, V. (eds) Formal Methods for Eternal Networked Software Systems. SFM 2011. Lecture Notes in Computer Science, vol 6659. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21455-4_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-21455-4_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-21454-7

  • Online ISBN: 978-3-642-21455-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics