Behavioral Attestation for Web Services Based Business Processes

Service Oriented Architecture SOA is an architectural paradigm that enables dynamic composition of heterogeneous, independent, multi-vendor business services. A prerequisite for such inter-organizational workflows is the establishment of trustworthiness, which is mostly achieved through non-technical measures, such as legislation, and/or social consent that businesses or organizations pledge themselves to adhere. A business process can only be trustworthy if the behavior of all services in it is trustworthy. Trusted Computing Group TCG has defined an open set of specifications for the establishment of trustworthiness through a hardware root-of-trust. This paper has three objectives: firstly, the behavior of individual services in a business process is formally specified. Secondly, to overcome the inherent weaknesses of trust management through software alone, a hardware root of-trust devised by the TCG, is used for the measurement of the behavior of individual services in a business process. Finally, a verification mechanism is detailed through which the trustworthiness of a business process can be verified.

[1]  Liang Jie-Zhang Innovations, Standards, and Practices of Web Services: Emerging Research Topics , 2011 .

[2]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[3]  Vijayalakshmi Atluri,et al.  SecureFlow: a secure Web-enabled workflow management system , 1999, RBAC '99.

[4]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[5]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[6]  Frank Leymann,et al.  Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More , 2005 .

[7]  Jean-Pierre Seifert,et al.  A Model-Driven Framework for Trusted Computing Based Systems , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[8]  Ehud Gudes,et al.  Modeling, Specifying and Implementing Workflow Security in Cyberspace , 1999, J. Comput. Secur..

[9]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[10]  Xinwen Zhang,et al.  Behavioral attestation for web services (BA4WS) , 2008, SWS '08.

[11]  Calton Pu,et al.  A Secure Information Flow Architecture for Web Service Platforms , 2008, IEEE Transactions on Services Computing.

[12]  Jim des Rivières,et al.  Eclipse: A platform for integrating development tools , 2004, IBM Syst. J..

[13]  Ahmad-Reza Sadeghi,et al.  A protocol for property-based attestation , 2006, STC '06.

[14]  Chris J. Mitchell What is trusted computing , 2005 .

[15]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[16]  Aaron Weiss Trusted computing , 2006, NTWK.

[17]  Weisong Shi,et al.  Adaptive Secure Access to Remote Services in Mobile Environments , 2008, IEEE Transactions on Services Computing.

[18]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[19]  Zakaria Maamar,et al.  Aspect-Oriented Framework for Web Services (AoF4WS): Introduction and Two Example Case Studies , 2009 .

[20]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[21]  Patrice Moreaux,et al.  An Integrated Framework for Web Services Orchestration , 2009, Int. J. Web Serv. Res..

[22]  Liang-Jie Zhang Modern Technologies in Web Services Research , 2007 .

[23]  Ina Fourie E‐activity and Intelligent Web Construction: Effects of Social Design , 2012 .

[24]  Tim Ebringer,et al.  ws-Attestation: Enabling Trusted Computing on Web Services , 2007, Test and Analysis of Web Services.

[25]  Marietjie Schutte,et al.  Managing Web Service Quality: Measuring Outcomes and Effectiveness , 2009 .

[26]  Ling Liu,et al.  A Similarity Measure for Process Mining in Service Oriented Architecture , 2010 .

[27]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[28]  Ulrich Kühn,et al.  Realizing property-based attestation and sealing with commonly available hard- and software , 2007, STC '07.

[29]  Elisa Bertino,et al.  Securing XML Documents with Author-X , 2001, IEEE Internet Comput..

[30]  Yi-Chieh Ho,et al.  Need and Possible Criteria for Evaluating the Effectiveness of Computer-Mediated Communication , 2011 .

[31]  David Caplan,et al.  SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series) , 2006 .

[32]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[33]  Stephen S. Yau,et al.  An Adaptive Approach to Optimizing Tradeoff Between Service Performance and Security in Service-Based Systems , 2011, Int. J. Web Serv. Res..

[34]  Bhavani M. Thuraisingham,et al.  Enhancing Security Modeling for Web Services Using Delegation and Pass-On , 2008, 2008 IEEE International Conference on Web Services.

[35]  Y. Li,et al.  Result Refinement in Web Services Retrieval Based on Multiple Instances Learning , 2008, Int. J. Web Serv. Res..