Behavioral Attestation for Web Services using access policies

Service Oriented Architecture with underlying technologies like web services and web service orchestration opens new vistas for integration among business processes operating in heterogeneous environments. However, such dynamic collaborations require a highly secure environment at each respective business partner site. Existing web services standards address the issue of security only on the service provider platform. The partner platforms to which sensitive information is released have till now been neglected. Remote Attestation is a relatively new field of research which enables an authorized party to verify that a trusted environment actually exists on a partner platform. To incorporate this novel concept in to the web services realm, a new mechanism called WS-Attestation has been proposed. This mechanism provides a structural paradigm upon which more fine-grained solutions can be built. In this paper, we present a novel framework, Behavioral Attestation for Web Services, in which XACML is built on top of WS-Attestation in order to enable more flexible remote attestation at the web services level. We propose a new type of XACML policy called XACML behavior policy, which defines the expected behavior of a partner platform. Existing web service standards are used to incorporate remote attestation at the web services level and a prototype is presented, which implements XACML behavior policy using low-level attestation techniques.

[1]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[2]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[3]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[5]  Vijay Varadharajan,et al.  Trust management for trusted computing platforms in web services , 2007, STC '07.

[6]  David Caplan,et al.  SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series) , 2006 .

[7]  Jean-Pierre Seifert,et al.  A Model-Driven Framework for Trusted Computing Based Systems , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[8]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[9]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[10]  Bill McCarty,et al.  Selinux: NSA's Open Source Security Enhanced Linux , 2004 .

[11]  Jean-Pierre Seifert,et al.  Usage control platformization via trustworthy SELinux , 2008, ASIACCS '08.

[12]  Tim Ebringer,et al.  ws-Attestation: Enabling Trusted Computing on Web Services , 2007, Test and Analysis of Web Services.

[13]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[14]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[15]  Indrakshi Ray,et al.  Proceedings of the eleventh ACM symposium on Access control models and technologies , 2006 .

[16]  Mark O'Neill,et al.  Web Services Security , 2003 .

[17]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[18]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[19]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[20]  Leendert van Doorn,et al.  Take control of TCPA , 2003 .

[21]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[22]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.