Automata-Based Verification of Security Requirements of Composite Web Services

With the increasing reliance of complex real-world applications on composite web services assembled from independently developed component services, there is a growing need for effective approaches to verifying that a composite service not only offers the required functionality but also satisfies the desired non-functional requirements (NFRs). In high-assurance applications such as traffic control, medical decision support, and coordinated response to civil emergencies, of special concern are NFRs having to do with security, safety and reliability of composite services. Current approaches to verifying NFRs of composite services (as opposed to individual services) remain largely ad-hoc and informal in nature. In this paper we develop techniques for ensuring that a composite service meets the user-specified NFRs expressible in the form of hard constraints e.g., “response time has to be less than 5 minutes.” We introduce an automata-based framework for verifying that a composite service satisfies the desired NFRs based on the known guarantees regarding the non-functional properties of the component services. We further show how to improve the efficiency of verifying that a composite service indeed satisfies a desired set of NFRs by: (i) Exploiting information about the applicability of specific NFRs (e.g., security) only to certain subsets of the component services that make up a composite service to minimize the verification effort and (ii) Identifying inconsistencies between NFRs with overlapping scopes. We illustrate how our approach can be used to verify the security requirements for an Emergency Management System. We also show how the approach can be used to verify whether a composite service satisfies any desired set of NFRs that can be expressed in the form of hard constraints of a quantitative nature.

[1]  Vasant Honavar,et al.  Modeling Web Services by Iterative Reformulation of Functional and Non-functional Requirements , 2006, ICSOC.

[2]  Liliana Ardissono,et al.  Advanced fault analysis in web service composition , 2005, WWW '05.

[3]  Miroslaw Malek,et al.  Current solutions for Web service composition , 2004, IEEE Internet Computing.

[4]  Sebastián Uchitel,et al.  Model-based verification of Web service compositions , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[5]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[6]  Sheila A. McIlraith,et al.  Web Service Composition Via Generic Procedures and Customizing User Preferences , 2006, SEMWEB.

[7]  Gero Mühl,et al.  QoS aggregation for Web service composition using workflow patterns , 2004, Proceedings. Eighth IEEE International Enterprise Distributed Object Computing Conference, 2004. EDOC 2004..

[8]  Woo Jin Lee,et al.  Enhanced compositional safety analysis for distributed embedded systems using LTS equivalence , 2007 .

[9]  Brahim Medjahed,et al.  Context-based matching for Web service composition , 2007, Distributed and Parallel Databases.

[10]  Brian O'Neill,et al.  A Model Assessment Tool for the Incident Command System: A Case Study of the San Antonio Fire Department , 2008 .

[11]  Schahram Dustdar,et al.  A survey on web services composition , 2005, Int. J. Web Grid Serv..

[12]  Thomas A. Mikalsen,et al.  Reliability of Composed Web Services-From Object Transactions to Web Transactions , 2001 .

[13]  William Stallings Zhu,et al.  Network Security Essentials : Applications and Standards , 2007 .

[14]  Vasant Honavar,et al.  TCP-Compose* - A TCP-Net Based Algorithm for Efficient Composition of Web Services Using Qualitative Preferences , 2008, ICSOC.

[15]  Bernd Bruegge,et al.  Object-Oriented Software Engineering: Using UML, Patterns and Java, Second Edition , 2003 .

[16]  Mihhail Matskin,et al.  Logic-based Web services composition: from service description to process model , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[17]  Jorge A. Baier,et al.  HTN Planning with Quantitative Preferences via Heuristic Search , 2008 .

[18]  William Stallings,et al.  Network Security Essentials , 1999 .

[19]  Michael Weiss,et al.  Selecting Security Patterns that Fulfill Security Requirements , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[20]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[21]  Quan Z. Sheng,et al.  Quality driven web services composition , 2003, WWW '03.

[22]  Piergiorgio Bertoli,et al.  Planning and Monitoring Web Service Composition , 2004, AIMSA.

[23]  Zhichang Qi,et al.  Reliability Prediction and Sensitivity Analysis of Web Services Composition , 2008 .

[24]  Neil A. M. Maiden,et al.  Inventing Requirements from Software: An Empirical Investigation with Web Services , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[25]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[26]  Bernd Bruegge,et al.  Object-Oriented Software Engineering Using UML, Patterns, and Java , 2009 .

[27]  Panagiotis Papadimitratos,et al.  SECURING VEHICULAR COMMUNICATIONS , 2006, IEEE Wireless Communications.

[28]  William Stallings,et al.  Network Security Essentials: Applications and Standards , 1999 .

[29]  Howard Foster Tool Support for Safety Analysis of Service Composition and Deployment Models , 2008, 2008 IEEE International Conference on Web Services.

[30]  Yuri Gurevich,et al.  Logic in Computer Science , 1993, Current Trends in Theoretical Computer Science.

[31]  Francisco Curbera,et al.  Web Services Business Process Execution Language Version 2.0 , 2007 .

[32]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[33]  Shing-Chi Cheung,et al.  Checking safety properties using compositional reachability analysis , 1999, TSEM.

[34]  Fangchun Yang,et al.  QoS Prediction for Composite Web Services with Transactions , 2006, ICSOC Workshops.