1. Field of the Invention
The invention relates generally to the field of software security, and more particularly to software security verification and validation.
2. Description of the Related Art
Software applications today are typically composed of several different executable modules that work together to provide a common “application function.” For instance, a developer of a new application may write source code that implements the “core business logic” of the application, while resorting to third party or other code libraries for more routine functionality, such as common dialog boxes or communication functions. At runtime, the application is launched and instructs the operating system to load an instance of the other libraries which are dynamically linked to the executing application code. Then the application and the libraries typically work together as a single unit in memory while the application is executing.
However, managing trust between the executing application code and the libraries is difficult. While an application is executing, any libraries that it loads are mapped into the application's memory space or process boundary and execute as if it was part of the application. Once loaded there are no boundaries between the application and the library, and the application is placing complete trust in the library when it calls into the library. The library could modify, delete, or redistribute any or all data the application has access to. As applications become more complex, and libraries are more commonly loaded on a computing device from various, possibly un-trusted locations, it is becoming more important to focus on the security and integrity (i.e., the “trustworthiness”) of code libraries that may be called or loaded by an application.
An adequate mechanism to evaluate and/or ensure the trustworthiness of a code library has eluded those skilled in the art, until now.