Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software

REPORT DOCUMENTATION PAGE			Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1. agency use only (leave blank)		2. report date March 1999	3. report type and dates covered Final
4. title and subtitle Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software			5. funding numbers C - F19628-95-C-0003
6. author(s) Daniel Plakosh, Scott Hissam, Kurt Wallnau
7. performing organization name(s) and address(es) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213			8. performing organization report number CMU/SEI-99-TN-010
9. sponsoring/monitoring agency name(s) and address(es) HQ ESC/DIB 5 Eglin Street Hanscom AFB, MA 01731-2116			10. sponsoring/monitoring agency report number
11. supplementary notes
12.a distribution/availability statement Unclassified/Unlimited, DTIC, NTIS			12.b distribution code
13. abstract (maximum 200 words) We were recently involved with a project that faced an interesting and not uncommon dilemma. The project needed to programmatically extract private keys and digital certificates from the Netscape Communicator v4.5 database. Netscape documentation was inadequate for us to figure out how to do this. As it turns out, this inadequacy was intentional-Netscape was concerned that releasing this information might possibly violate export control laws concerning encryption technology. Since our interest was in building a system and not exporting cryptographic technology, we decided to further investigate how to achieve our objectives even without support from Netscape. We restricted ourselves to the use of Netscape-provided code and documentation, and to information available on the Web. Our objective was to build our system, and to provide feedback to Netscape on how to engineer their product to provide the capability that we (and others) need, while not making the product vulnerable or expose the vendor to violations of export control laws. This paper describes our experiences peering "into the black box."
14. subject terms commercial off-the-shelf (COTS), component integration, netscape, security			15. number of pages 19 pp.
			16. Price Code
17. security classification of report UNCLASSIFIED	18. security classification of this page UNCLASSIFIED	19. security classification of abstract UNCLASSIFIED	20. limitation of abstract UL
NSN 7540-01-280-5500			Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102

[abstract] [chapter 1] [chapter 2] [chapter 3] [chapter 4] [chapter 5] [references] [DTIC] [PDF]