Information Flow Analysis of Web Service Net

A web service security analysis model based on program slicing is proposed, which can be used to find existence of critical information disclosure vulnerabilities and proliferation of such vulnerabilities in a web service net, and eventually improve protection of critical information. Web service protocol is analyzed to obtain external service interfaces; source code is sliced to obtain interface information flow; critical information is checked to see whether it is disclosed through the interface information flow. Vulnerability proliferation of a service net is found through analyzing process of interface calling between two web services in which the critical information is transmitted and disclosed. A security report describing test results of a test scene is provided to verify the correctness of security analysis process.

[1]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[2]  Xiaohong Li,et al.  A Unified Threat Model for Assessing Threat in Web Applications , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[3]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[4]  Shi Wei SOAP-based Fundamental Security Specification of Web Service(WS-Security) , 2003 .

[5]  David Eichmann,et al.  Program and interface slicing for reverse engineering , 1993, [1993] Proceedings Working Conference on Reverse Engineering.

[6]  Bogdan Korel,et al.  Program slicing in understanding of large programs , 1998, Proceedings. 6th International Workshop on Program Comprehension. IWPC'98 (Cat. No.98TB100242).

[7]  Zheng Guo-liang An Approach for Hierarchy Slicing Object-Oriented Program , 2001 .

[8]  Keith Brian Gallagher,et al.  Using Program Slicing in Software Maintenance , 1991, IEEE Trans. Software Eng..

[9]  James R. Larus,et al.  Using Tracing and Dynamic Slicing to Tune Compilers , 1993 .

[10]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).