Trust and tamper-proof software delivery

Authors:
Martin Naedele;Thomas E. Koch
Affiliations:
ABB Corporate Research, Baden, Switzerland;ABB Corporate Research, Baden, Switzerland
Venue:
Proceedings of the 2006 international workshop on Software engineering for secure systems
Year:
2006

Citing 11
Cited 2

Proof-carrying code

Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Techniques for trusted software engineering

Proceedings of the 20th international conference on Software engineering
Reflections on trusting trust

Communications of the ACM
Understanding the Windows EAL4 Evaluation

Computer
How to Time-Stamp a Digital Document

CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
A reputation-based trust model for peer-to-peer ecommerce communities [Extended Abstract]

Proceedings of the 4th ACM conference on Electronic commerce
Modern Cryptography: Theory and Practice

Modern Cryptography: Theory and Practice
Poisoning the Software Supply Chain

IEEE Security and Privacy
Practical Cryptography

Practical Cryptography
Toward a Generic Model of Trust for Electronic Commerce

International Journal of Electronic Commerce
SoftwarePot: an encapsulated transferable file system for secure software circulation

ISSS'02 Proceedings of the 2002 Mext-NSF-JSPS international conference on Software security: theories and systems

Introduction to software engineering for secure systems: SESS06 -- secure by design

Proceedings of the 2006 international workshop on Software engineering for secure systems
Data usage control in the future internet cloud

The future internet

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software engineering today relies to a large extent on acquiring and composing software components and other software-related artifacts from different producers, either at design or at run time. For any user of such artifacts, both as developer and as end-user, the question arises how to ensure that these artifacts are not malicious. Complete inspection of acquired code is, if not impossible, at least impractical and uneconomical for commercial software. The user thus has to trust the code, or rather its supplier and the delivery channel. This paper examines different trust models in the software supply chain and their rationales.Any trust-based supply chain also requires as prerequisite a tamper-proof distribution channel. Such channels can theoretically be realized using digital signature technology, but some practical and theoretical challenges remain. The paper outlines the challenges and shortcomings of current commercial approaches, proposes some solutions, and suggests areas for further research.