The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January (2008 vol.34)
pp: 33-49
ABSTRACT
We outline a methodology for designing and composing services in a secure manner. In particular, we are concerned with safety properties of service behaviour. Services can enforce security policies locally and can invoke other services respecting given security contracts. This call-by-contract mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how to correctly plan services compositions in several relevant classes of services and security properties. To this aim, we propose a graphical modelling framework, based on a foundational calculus called lambda-req. Our formalism features dynamic and static semantics, so allowing for formal reasoning about systems. Static analysis and model checking techniques provide the designer with useful information to assess and fix possible vulnerabilities.
INDEX TERMS
Web services, call-by-contract, language-based security, static analysis, system verification
CITATION
Pierpaolo Degano, Gian-Luigi Ferrari, Massimo Bartoletti, "Semantics-Based Design for Secure Web Services", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 33-49, January 2008, doi:10.1109/TSE.2007.70740
REFERENCES
[1] M. Abadi and C. Fournet, “Access Control Based on Execution History,” Proc. 10th Ann. Network and Distributed System Security Symp., 2003.
[2] G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services: Concepts, Architectures and Applications. Springer, 2004.
[3] S. Anderson et al., “Web Services Trust Language (WS-Trust),” technical report, 2005.
[4] B. Atkinson et al., “Web Services Security (WS-Security),” technical report, 2002.
[5] A. Banerjee and D.A. Naumann, “History-Based Access Control and Secure Information Flow,” Proc. Workshop Construction and Analysis of Safe, Secure, and Interoperable Smart Cards, 2004.
[6] H.P. Barendregt et al., “Term Graph Rewriting,” Parallel Languages on PARLE: Parallel Architectures and Languages Europe, 1987.
[7] M. Bartoletti, P. Degano, and G.L. Ferrari, “History Based Access Control with Local Policies,” Proc. Eight Int'l Conf. Foundations of Software Science and Computation Structures, 2005.
[8] M. Bartoletti, P. Degano, and G.L. Ferrari, “Planning and Verifying Service Composition,” Technical Report TR-07-02, Dept. of Informatics, Univ. of Pisa, 2007, J. Computer Security, to appear.
[9] M. Bartoletti, P. Degano, G.L. Ferrari, and R. Zunino, “Types and Effects for Resource Usage Analysis,” Proc. 10th Int'l Conf. Foundations of Software Science and Computation Structures, 2007.
[10] M. Bartoletti, P. Degano, and G.L. Ferrari, “Enforcing Secure Service Composition,” Proc. 18th Computer Security Foundations Workshop, 2005.
[11] M. Bartoletti, P. Degano, and G.L. Ferrari, “Plans for Service Composition,” Proc. Sixth Int'l Workshop Issues in the Theory of Security, 2006.
[12] M. Bartoletti, P. Degano, and G.L. Ferrari, Security Issues in Service Composition, Proc. Eighth IFIP Int'l Conf. Formal Methods for Open Object-Based Distributed Systems, 2006.
[13] M. Bartoletti, P. Degano, and G.L. Ferrari, “Types and Effects for Secure Service Orchestration,” Proc. 19th Computer Security Foundations Workshop, 2006.
[14] K. Bhargavan, R. Corin, C. Fournet, and A.D. Gordon, “Secure Sessions for Web Services,” Proc. ACM Workshop Secure Web Services, 2004.
[15] K. Bhargavan, C. Fournet, and A.D. Gordon, “A Semantics for Web Services Authentication,” Proc. 31st Ann. ACM Symp. Principles of Programming Languages, 2004.
[16] B. Bloch et al., “Web Services Business Process Execution Language Version 2.0,” TC OASIS technical report, 2005.
[17] D. Booth et al., “Web Service Description Language (WSDL) Version 2.0,” technical report, 2006.
[18] M. Boreale et al., “SCC: A Service Centered Calculus,” Proc. Third Int'l Workshop Web Services and Formal Methods, 2006.
[19] D. Box et al., Simple Object Access Protocol (SOAP) 1.1, W3C note, 2000.
[20] R. Bruni, H. Melgratti, and U. Montanari, “Theoretical Foundations for Compensations in Flow Composition Languages,” Proc. 32nd Symp. Principles of Programming Languages, 2005.
[21] N. Busi, R. Gorrieri, C. Guidi, R. Lucchi, and G. Zavattaro, “Choreography and Orchestration: A Synergic Approach for System Design,” Proc. Third Int'l Conf. Service Oriented Computing, 2005.
[22] N. Busi, R. Gorrieri, C. Guidi, R. Lucchi, and G. Zavattaro, “Choreography and Orchestration Conformace for System Design,” Proc. Eighth Int'l Conf. Coordination Models and Languages, 2006.
[23] M. Carbone, K. Honda, and N. Yoshida, “Structured Global Programming for Communicating Behavior,” Proc. 16th European Symp. Programming Languages, 2007.
[24] “Building Systems Using a Service-Oriented Architecture,” SCA Consortium, white paper, 2005.
[25] F. Curbera, R. Khalaf, N. Mukhi, S. Tai, and S. Weerawarane, “The Next Step in Web Services,” Comm. ACM, vol. 46, no. 10, 2003.
[26] W. Van der Aalst, A. ter Hofstede, B. Kiepuszewski, and A. Barros, “Workflow Patterns,” Distributed and Parallel Databases, vol. 14, no. 1, 2003.
[27] G. Edjlali, A. Acharya, and V. Chaudhary, “History-Based Access Control for Mobile Code,” Proc. Fifth ACM Conf. Computer and Comm. Security, 1999.
[28] G.L. Ferrari, R. Guanciale, and D. Strollo, “JSCL: A Middleware for Service Coordination,” Proc. 26th Int'l Conf. Formal Methods for Networked and Distributed Systems, 2006.
[29] J.L. Fiadeiro, A. Lopez, and L. Bocchi, “A Formal Approach to Service Component Architecture,” Proc. Third Int'l Workshop Web Services and Formal Methods, 2006.
[30] P.W. Fong, “Access Control by Tracking Shallow Execution History,” Proc. IEEE Symp. Security and Privacy, 2004.
[31] H. Foster, S. Uchitel, J. Magee, and J. Kramer, “Model-Based Verification of Web Services,” Proc. 18th IEEE Int'l Conf. Automated Software Eng., 2003.
[32] H. Garcia-Molina and K. Salem, “Sagas,” Proc. ACM SIGMOD '87, 1987.
[33] T. Gardner et al., “UML 1.4 Profile for Automated Business Process with a Mapping to the BPEL 1.0,” white paper, 2003.
[34] L. Gong, Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, 1999.
[35] C. Guidi, R. Lucchi, R. Gorrieri, N. Busi, and G. Zavattaro, “SOCK: A Calculus for Service-Oriented Computing,” Proc. Fourth Int'l Conf. Service-Oriented Computing, 2006.
[36] A. Igarashi and N. Kobayashi, “Resource Usage Analysis,” Proc. 29th Symp. Principles of Programming Languages, 2002.
[37] A. Lapadula, R. Pugliese, and F. Tiezzi, “A Calculus for Orchestration of Web Services,” Proc. 16th European Symp. Programming Languages, 2007.
[38] J. Misra, “A Programming Model for the Orchestration of Web Services,” Proc. Second Int'l Conf. Software Eng. and Formal Methods, 2004.
[39] C. Montangero and L. Semini, “Barbed Model-Driven Software Development: A Case Study,” SENSORIA Technical Report IST-2005-016004, 2007.
[40] F. Nielson, H.R. Nielson, and C. Hankin, Principles of Program Analysis. Springer-Verlag, 1999.
[41] M. Papazoglou, “Service-Oriented Computing: Concepts, Characteristics and Directions,” Proc. Fourth Int'l Conf. Web Information Systems Eng., 2003.
[42] M. Papazoglou and D. Georgakopoulos, Comm. ACM, special issue on service-oriented computing, vol. 46, no. 10, 2003.
[43] F.B. Schneider, “Enforceable Security Policies,” ACM Trans. Information and System Security, vol. 3, no. 1, 2000.
[44] C. Skalka and S. Smith, “History Effects and Verification,” Proc. Second Asian Programming Languages Symp., 2004.
[45] M. Stal, “Web Services: Beyond Component-Based Computing,” Comm. ACM, vol. 55, no. 10, 2002.
[46] I. Toma and D. Foxvog, Non-Functional Properties in Web Services, WSMO Deliverable, 2006.
[47] Vedamuthu et al., “Web Services Policy Framework (WS-Policy),” technical report, 2006.
[48] W. Vogels, “Web Services Are Not Distributed Objects,” IEEE Internet Computing, vol. 7, no. 6, Nov./Dec. 2003.
[49] “UDDI technical white paper,” W3C, 2000.
[50] M. Wirsing et al., “Semantic-Based Development of Service-Oriented Systems,” Proc. 26th Int'l Conf. Formal Methods for Networked and Distributed Systems, 2006.
[51] R. Yahalom, B. Klein, and Th. Beth, “Trust Relationships in Secure Systems: A Distributed Authentication Perspective,” Proc. IEEE Symp. Security and Privacy, 1993.
7 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool