Tisa: Toward Trustworthy Services in a Service-Oriented Architecture

Verifying whether a service implementation is conforming to its service-level agreements is important to inspire confidence in services in a service-oriented architecture (SoA). Functional agreements can be checked by observing the published interface of the service, but other agreements that are more non-functional in nature, are often verified by deploying a monitor that observes the execution of the service implementation. A problem is that such a monitor must execute in an untrusted environment. Thus, integrity of the results reported by such a monitor crucially depends on its integrity. We contribute an extension of the traditional SoA, based on hardware-based root of trust, that allows clients, brokers and providers to negotiate and validate the integrity of a requirements monitor executing in an untrusted environment. We make two basic claims: first, that it is feasible to realize our approach using existing hardware and software solutions, and second, that integrity verification can be done at a relatively small overhead. To evaluate feasibility, we have realized our approach using current software and hardware solutions. To measure overhead, we have conducted a case study using a collection of Web service implementations available with Apache Axis implementation.

[1]  John Zic,et al.  Expressing and Reasoning about Service Contracts in Service-Oriented Computing , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[2]  Athman Bouguettaya,et al.  Preserving privacy in web services , 2002, WIDM '02.

[3]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[4]  Calton Pu,et al.  Resilient trust management for Web service integration , 2005, IEEE International Conference on Web Services (ICWS'05).

[5]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[6]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[7]  Hridesh Rajan,et al.  Monitoring the monitor: an approach towards trustworthiness in service oriented architecture , 2007, IW-SOSWE '07.

[8]  Fabio Casati,et al.  Managing Impacts of Security Protocol Changes in Service-Oriented Applications , 2007, 29th International Conference on Software Engineering (ICSE'07).

[9]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[10]  Michael Franz,et al.  Symmetric behavior-based trust: a new paradigm for internet computing , 2004, NSPW '04.

[11]  John Hatcliff,et al.  Kaveri: Delivering the Indus Java Program Slicer to Eclipse , 2005, FASE.

[12]  Martin S. Feather,et al.  Requirements monitoring in dynamic environments , 1995, Proceedings of 1995 IEEE International Symposium on Requirements Engineering (RE'95).

[13]  Wuu Yang,et al.  The Semantics of Program Slicing and Program Integration , 1989, TAPSOFT, Vol.2.

[14]  Mike P. Papazoglou,et al.  Introduction: Service-oriented computing , 2003, CACM.

[15]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[16]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[17]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[18]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[19]  Gerardo Canfora,et al.  Testing services and service-centric systems: challenges and opportunities , 2006, IT Professional.

[20]  Gary T. Leavens,et al.  Tisa: A Language Design and Modular Verification Technique for Temporal Policies in Web Services , 2009, ESOP.

[21]  George Spanoudakis,et al.  Run-time monitoring of requirements for systems composed of Web-services: initial implementation and evaluation experience , 2005, IEEE International Conference on Web Services (ICWS'05).

[22]  Hridesh Rajan,et al.  Need for Instance Level Aspect Language with Rich Pointcut Language , 2003 .

[23]  Marco Pistore,et al.  Run-Time Monitoring of Instances and Classes of Web Service Compositions , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[24]  William N. Robinson,et al.  Monitoring software requirements using instrumented code , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[25]  Hridesh Rajan,et al.  How to Trust a Web Service Monitor Deployed in an Untrusted Environment? , 2007, Third International Conference on Next Generation Web Services Practices (NWeSP'07).

[26]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[27]  Junichi Suzuki,et al.  Modeling Non-Functional Aspects in Service Oriented Architecture , 2006, 2006 IEEE International Conference on Services Computing (SCC'06).

[28]  M.S. Feather,et al.  Reconciling system requirements and runtime behavior , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[29]  Mira Mezini,et al.  Conquering aspects with Caesar , 2003, AOSD '03.

[30]  Michiharu Kudo,et al.  Layering negotiations for flexible attestation , 2006, STC '06.

[31]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[32]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984, SDE 1.

[33]  Mike P. Papazoglou,et al.  Service oriented computing : Introduction , 2003 .

[34]  Ahmad-Reza Sadeghi,et al.  Taming "Trusted Platforms" by Operating System Design , 2003, WISA.

[35]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[36]  Andrew D. Gordon,et al.  Validating a web service security abstraction by typing , 2002, XMLSEC '02.

[37]  Michael Haupt,et al.  Virtual machine support for dynamic join points , 2004, AOSD '04.

[38]  S. Uchitel,et al.  Monitoring and control in scenario-based requirements analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[39]  Luciano Baresi,et al.  Smart monitors for composed services , 2004, ICSOC '04.

[40]  Hridesh Rajan,et al.  Nu: a dynamic aspect-oriented intermediate language model and virtual machine for flexible runtime adaptation , 2008, AOSD.

[41]  Hridesh Rajan,et al.  Eos: instance-level aspects for integrated system design , 2003, ESEC/FSE-11.

[42]  Tim Ebringer,et al.  WS-attestation: efficient and fine-grained remote attestation on Web services , 2005, IEEE International Conference on Web Services (ICWS'05).