Issue No. 06 - June (1998 vol. 31)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/2.683010
Using COTS components poses serious threats to system security. The authors analyze the risks and describe how their sandbox method can confine the damage potential of COTS components. The sandbox model was originally developed for fault tolerance. Rather than eliminating actual failures, it provides a restricted environment to confine application behavior. The approach confines the damage caused if an application accidentally or maliciously misbehaves. The authors' sandbox method differs from Java's, in that it is built with OS support rather than with support from a particular language. In this article, they describe the Sendmail version of their sandbox method. Their approach requires B-level security features not found on most conventional OSs. Typically developed for government or military use, B-level-certified OSs have more sophisticated security features. The authors explain that their method does not eliminate security problems but rather mitigates the damage caused by compromised applications and thus prevents most common security breaches. Untrusted COTS components can thus be safely plugged into a system without major reengineering, provided there is a suitable security platform.
Q. Zhong and N. Edwards, "Security Control for COTS Components," in Computer, vol. 31, no. , pp. 67-73, 1998.