The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - July-Sept. (2013 vol.6)
pp: 330-343
Wei She , University of Texas at Dallas, Richardson
I-Ling Yen , University of Texas at Dallas, Richardson
Bhavani Thuraisingham , University of Texas at Dallas, Richardson
Elisa Bertino , Purdue University, West Lafayette
ABSTRACT
Enforcing access control in composite services is essential in distributed multidomain environment. Many advanced access control models have been developed to secure web services at execution time. However, they do not consider access control validation at composition time, resulting in high execution-time failure rate of composite services due to access control violations. Performing composition-time access control validation is not straightforward. First, many candidate compositions need to be considered and validating them can be costly. Second, some service composers may not be trusted to access protected policies and validation has to be done remotely. Another major issue with existing models is that they do not consider information flow control in composite services, which may result in undesirable information leakage. To resolve all these problems, we develop a novel three-phase composition protocol integrating information flow control. To reduce the policy evaluation cost, we use historical information to efficiently evaluate and prune candidate compositions and perform local/remote policy evaluation only on top candidates. To achieve effective and efficient information flow control, we introduce the novel concept of transformation factor to model the computation effect of intermediate services. Experimental studies show significant performance benefit of the proposed mechanism.
INDEX TERMS
Access control, Protocols, Concrete, Web services, Medical diagnostic imaging, information flow control, Secure service composition, access control
CITATION
Wei She, I-Ling Yen, Bhavani Thuraisingham, Elisa Bertino, "Security-Aware Service Composition with Fine-Grained Information Flow Control", IEEE Transactions on Services Computing, vol.6, no. 3, pp. 330-343, July-Sept. 2013, doi:10.1109/TSC.2012.3
REFERENCES
[1] S. Agarwal and B. Sprick, "Access Control for Semantic Web Services," Proc. IEEE Int'l Conf. Web Services, pp. 770-773, 2004.
[2] C.A. Ardagna, S.D.C.D. Vimercati, S. Paraboschi, E. Pedrini, P. Samarati, and M. Verdicchio, "Expressive and Deployable Access Control in Open Web Service Applications," IEEE Trans. Services Computing, vol. 4, no. 2, pp. 96-109, Apr.-June 2011.
[3] M. Bartoletti, P. Degano, G.L. Ferrari, and R. Zunino, "Semantics-Based Design for Secure Web Services," IEEE Trans. Software Eng., vol. 34, no. 1, pp. 33-49, Jan./Feb. 2008.
[4] E. Bertino, A.C. Squicciarini, L. Martino, and F. Paci, "An Adaptive Access Control Model for Web Services," Int'l J. Web Services Research, vol. 3, no. 3, pp. 27-60, 2006.
[5] R. Bhatti, E. Bertino, and A. Ghafoor, "A Trust-Based Context-Aware Access Control Model for Web-Services," Proc. IEEE Int'l Conf. Web Services, pp. 184-191, 2004.
[6] B. Carminati, E. Ferrari, and P.C.K. Hung, "Security Conscious Web Service Composition," Proc. IEEE Int'l Conf. Web Services, pp. 489-496, 2006.
[7] G. Chafle, S. Chandra, V. Mann, and M.G. Nanda, "Orchestrating Composite Web Services under Data Flow Constraints," Proc. IEEE Int'l Conf. Web Services, pp. 211-218, 2005.
[8] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "Fine Grained Access Control for SOAP E-Services," Proc. ACM Int'l Conf. World Wide Web, pp. 504-513, 2001.
[9] G. Denker, L. Kagal, T. Finin, M. Paolucci, and K. Sycara, "Security for DAML Web Services: Annotation and Matchmaking," Proc. Second Int'l Semantic Web Conf., pp. 335-350, 2003.
[10] J. Han, R. Kowalczyk, and K.M. Khan, "Security-Oriented Service Composition and Evolution," Proc. Asia Pacific Conf. Software Eng., pp. 71-78, 2006.
[11] R.N. Hebig, C. Meinel, M. Menzel, I. Thomas, and R. Warschofsky, "A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control," Proc. IEEE Int'l Conf. Web Services, pp. 551-558, 2009.
[12] IBM Specification, "Business Process Execution Language for Web Services Version 1.1," http://public.dhe.ibm. com/software/dw/specs/ ws-bpelws-bpel.pdf, 2003.
[13] A.J. Lee, M. Winslett, J. Basney, and V. Welch, "Traust: A Trust Negotiation-Based Authorization Service for Open Systems," Proc. ACM Symp. Access Control Models and Technologies, pp. 39-48, 2006.
[14] M.G. Nanda, S. Chandra, and V. Sarkar, "Decentralizing Execution of Composite Web Services," Proc. ACM SIGPLAN Conf. Object-Oriented Programming, Systems, Languages, and Applications, 2004.
[15] F.N. Natalya, "Semantic Integration: A Survey of Ontology-Based Approaches," ACM Sigmod, vol. 33, no. 4, pp. 66-70, 2004.
[16] OASIS, "Web Services Profile of XACML (WS-XACML) Version 1.0," http://www.oasis-open.org/committees/download.php/ 24951xacml-3.0-profile-webservices-spec-v1-wd-10-en.pdf , 2007.
[17] L. Olson, M. Winslett, G. Tonti, N. Seeley, A. Uszok, and J. Bradshaw, "Trust Negotiation as an Authorization Service for Web Services," Proc. IEEE Int'l Conf. Data Eng. Workshops, p. 21, 2006.
[18] F. Paci, M. Ouzzani, and M. Mecella, "Verification of Access Control Requirements in Web Services Choreography," Proc. IEEE Int'l Conf. Services Computing, pp. 5-12, 2008.
[19] F. Paci, M. Mecella, M. Ouzzani, and E. Bertino, "ACCONV---An Access Control Model for Conversational Web Services," ACM Trans. Web, vol. 5, no. 3,article 13, 2011.
[20] W. She, I. Yen, B. Thuraisingham, and E. Bertino, "The SCIFC Model for Information Flow Control in Web Service Composition," Proc. IEEE Int'l Conf. Web Services, pp.1-8, 2009.
[21] W. She, I. Yen, B. Thuraisingham, and E. Bertino, "Effective and Efficient Implementation of an Information Flow Control Protocol for Service Composition," Proc. IEEE Int'l Conf. Service-Oriented Computing and Applications, pp.1-8, 2009.
[22] W. She, I. Yen, and B. Thuraisingham, "WS-Sim: A Web Service Simulation Toolset with Realistic Data Support," Proc. IEEE Conf. Computer Software and Applications Workshops, pp.109-114, 2010.
[23] M. Srivatsa, A. Iyengar, T. Mikalsen, I. Rouvellou, and J. Yin, "An Access Control System for Web Service Compositions," Proc. IEEE Int'l Conf. Web Services, pp. 1-8, 2007.
[24] L. Wang, D. Wijesekera, and S. Jajodia, "A Logic-Based Framework for Attribute Based Access Control," Proc. ACM Workshop Formal Methods on Security Eng., 2004.
[25] R. Wonohoesodo and Z. Tari, "A Role Based Access Control for Web Services," Proc. IEEE Int'l Conf. Services Computing, pp. 49-56, 2004.
[26] W3C, "OWL Web Ontology Language Overview," http://www. w3.org/TR/2004REC-owl-features-20040210 /, 2004.
[27] U. Yildiz and C. Godart, "Information Flow Control with Decentralized Service Compositions," Proc. IEEE Int'l Conf. Web Services, pp. 9-17, 2007.
[28] C. Young, "Microsoft's Rule Engine Scalability Results—A Comparison with Jess and Drools," http://geekswithblogs.net/cyoung/articles 54022.aspx, 2005.
[29] E. Yuan and J. Tong, "Attributed Based Access Control (ABAC) for Web Services," Proc. IEEE Int'l Conf. Web Services, pp. 561-569, 2005.
[30] J. Zhu, Y. Zhou, and W. Tong, "Access Control on the Composition of Web Services," Proc. Int'l Conf. Next Generation Web Services Practices, pp. 89-93, 2006.
[31] W. She, I. Yen, B. Thuraisingham, and E. Bertino, "Policy-Driven Service Composition with Information Flow Control," Proc. IEEE Int'l Conf. Web Services, pp. 50-57, 2010.
134 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool