End to end security in service oriented architecture

Azarmi, Mehdi Ph.D., Purdue University, May 2016. End-to-End Security in ServiceOriented Architecture. Major Professor: Bharat Bhargava. A service-oriented architecture (SOA)-based application is composed of a number of distributed and loosely-coupled web services, which are orchestrated to accomplish a more complex functionality. Any of these web services is able to invoke other web services to offload part of its functionality. The main security challenge in SOA is that we cannot trust the participating web services in a service composition to behave as expected all the time. In addition, the chain of services involved in an end-to-end service invocation may not be visible to the clients. As a result, any violation of client’s policies could remain undetected. To address these challenges in SOA, we proposed the following contributions. First, we devised two composite trust schemes by using graph abstraction to quantitatively maintain the trust levels of different services. The composite trust values are based on feedbacks from the actual execution of services, and the structure of the SOA application. To maintain the dynamic trust, we designed the trust manager, which is a trusted-third party service. Second, we developed an end-to-end inter-service policy monitoring and enforcement framework (PME framework), which is able to dynamically inspect the interactions between services at runtime and react to the potentially malicious activities according to the client’s policies. Third, we designed an intra-service policy monitoring and enforcement framework based on a taint analysis mechanism to monitor the information flow within services and prevent information disclosure incidents. Fourth, we proposed an adaptive and secure service composition engine (ASSC), which takes advantage of an efficient heuristic algorithm to generate optimal service compositions in SOA. The service compositions generated by ASSC maximize the trustworthiness of the selected

[1]  Ling Liu,et al.  A reputation-based trust model for peer-to-peer ecommerce communities , 2003, EC.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  Eric G. Manning,et al.  Heuristic Solutions for the Multiple-Choice Multi-dimension Knapsack Problem , 2001, International Conference on Computational Science.

[4]  Sebastian Mödersheim,et al.  The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures , 2012, TACAS.

[5]  Jocelyn Simmonds,et al.  Runtime Monitoring of Web Service Conversations , 2007, IEEE Transactions on Services Computing.

[6]  Luciano Baresi,et al.  Comprehensive Monitoring of BPEL Processes , 2010, IEEE Internet Computing.

[7]  Mohammad Sohel Rahman,et al.  Solving the Multidimensional Multiple-choice Knapsack Problem by constructing convex hulls , 2006, Comput. Oper. Res..

[8]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[9]  Kevin W. Hamlen,et al.  Aspect-Oriented Runtime Monitor Certification , 2012, TACAS.

[10]  Jun Wei,et al.  Flexible Pattern Monitoring for WS-BPEL through Stateful Aspect Extension , 2008, 2008 IEEE International Conference on Web Services.

[11]  Munindar P. Singh,et al.  Behind the Curtain: Service Selection via Trust in Composite Services , 2012, 2012 IEEE 19th International Conference on Web Services.

[12]  Bruno Crispo,et al.  xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement , 2010, IFIPTM.

[13]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[14]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[15]  George Spanoudakis,et al.  A framework for requirents monitoring of service based systems , 2004, ICSOC '04.

[16]  Stephen A. White,et al.  BPMN modeling and reference guide : understanding and using BPMN : develop rigorous yet understandable graphical representations of business processes , 2008 .

[17]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[18]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[19]  Bhavani M. Thuraisingham,et al.  Role-Based Integrated Access Control and Data Provenance for SOA Based Net-Centric Systems , 2011, IEEE Transactions on Services Computing.

[20]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[21]  Munindar P. Singh,et al.  Trustworthy Service Selection and Composition , 2011, TAAS.

[22]  Schahram Dustdar,et al.  A survey on web services composition , 2005, Int. J. Web Grid Serv..

[23]  Bharat K. Bhargava,et al.  An End-to-End Security Auditing Approach for Service Oriented Architectures , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[24]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[25]  Azzedine Benameur,et al.  A formal solution to rewriting attacks on SOAP messages , 2008, SWS '08.

[26]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[27]  Ling Liu,et al.  PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities , 2004, IEEE Transactions on Knowledge and Data Engineering.

[28]  Frank Hill,et al.  An aspect-oriented security framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[29]  Angelos D. Keromytis,et al.  F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services , 2009, ISC.

[30]  Alexander Shraer,et al.  Verifying cloud services: present and future , 2013, OPSR.

[31]  Andrew P. Martin,et al.  On the Feasibility of Remote Attestation for Web Services , 2009, 2009 International Conference on Computational Science and Engineering.

[32]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[33]  Anja Strunk QoS-Aware Service Composition: A Survey , 2010, 2010 Eighth IEEE European Conference on Web Services.

[34]  E. Eugene Schultz Security Information and Event Management (SIEM) , 2011, Encyclopedia of Information Assurance.

[35]  Raymond R. Hill,et al.  New greedy heuristics for the Multiple-choice Multi-dimensional Knapsack Problem , 2007 .

[36]  George Spanoudakis,et al.  Web Service Trust: Towards a Dynamic Assessment Framework , 2009, 2009 International Conference on Availability, Reliability and Security.

[37]  Chantal Ykman-Couvreur,et al.  Fast multidimension multichoice knapsack heuristic for MP-SoC runtime management , 2011, TECS.

[38]  Jun Wei,et al.  Detecting Data Inconsistency Failure of Composite Web Services Through Parametric Stateful Aspect , 2010, 2010 IEEE International Conference on Web Services.

[39]  Mhand Hifi,et al.  Heuristic algorithms for the multiple-choice multidimensional knapsack problem , 2004, J. Oper. Res. Soc..

[40]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[41]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[42]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[43]  Claudia Eckert,et al.  Enhancing Control of Service Compositions in Service-Oriented Architectures , 2009, 2009 International Conference on Availability, Reliability and Security.

[44]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[45]  Frank Leymann,et al.  Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More , 2005 .

[46]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[47]  Luciano Baresi,et al.  Self-healing BPEL processes with Dynamo and the JBoss rule engine , 2007, ESSPE '07.

[48]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[49]  Zheng Li,et al.  A runtime monitoring and validation framework for Web service interactions , 2006, Australian Software Engineering Conference (ASWEC'06).

[50]  Athman Bouguettaya,et al.  RATEWeb: Reputation Assessment for Trust Establishment among Web services , 2009, The VLDB Journal.

[51]  Gabriela Gheorghe Security Policy Enforcement in Service-Oriented Middleware , 2011 .

[52]  Edward Y. H. Lin,et al.  A dynamic programming approach to the multiple-choice multi-period knapsack problem and the recursive APL2 code , 2010 .

[53]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[54]  Xi Chen,et al.  A Survey on QoS-aware Web Service Composition , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.

[55]  Vincenzo Grassi,et al.  Qos-driven runtime adaptation of service oriented architectures , 2009, ESEC/SIGSOFT FSE.

[56]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[57]  Tao Yu,et al.  Service Selection Algorithms for Composing Complex Services with Multiple QoS Constraints , 2005, ICSOC.

[58]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[59]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[60]  Kevin W. Hamlen,et al.  Cheko : Aspect-Oriented Runtime Monitor Certification via Model-Checking ( Extended Version ) , 2011 .

[61]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[62]  Jean-Pierre Seifert,et al.  A technical architecture for enforcing usage control requirements in service-oriented architectures , 2007, SWS '07.

[63]  Bhavani M. Thuraisingham,et al.  Enhancing Security Modeling for Web Services Using Delegation and Pass-On , 2008, 2008 IEEE International Conference on Web Services.

[64]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[65]  Tao Yu,et al.  Efficient algorithms for Web services selection with end-to-end QoS constraints , 2007, TWEB.

[66]  Alexander Pretschner,et al.  Usage Control in Service-Oriented Architectures , 2007, TrustBus.

[67]  Shang-Hua Teng,et al.  A Sublinear Time Algorithm for PageRank Computations , 2012, WAW.

[68]  Elisa Bertino,et al.  The SCIFC Model for Information Flow Control in Web Service Composition , 2009, 2009 IEEE International Conference on Web Services.

[69]  Jonathan K. Millen,et al.  Principles of remote attestation , 2011, International Journal of Information Security.

[70]  Andrew P. Martin,et al.  A Survey of Trust in Workflows and Relevant Contexts , 2012, IEEE Communications Surveys & Tutorials.

[71]  Richard S. Bird,et al.  Notes on recursion elimination , 1977, CACM.

[72]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[73]  Mourad Debbabi,et al.  Cross-Language Weaving Approach Targeting Software Security Hardening , 2008, 2008 Sixth Annual Conference on Privacy, Security and Trust.

[74]  Azzedine Benameur,et al.  XML Rewriting Attacks: Existing Solutions and their Limitations , 2008, ArXiv.

[75]  Nikitas J. Dimopoulos,et al.  A new heuristic for solving the multichoice multidimensional knapsack problem , 2005, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[76]  Sabrina De Capitani di Vimercati,et al.  Expressive and Deployable Access Control in Open Web Service Applications , 2011, IEEE Transactions on Services Computing.

[77]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[78]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[79]  Claude Kirchner,et al.  Modular Access Control Via Strategic Rewriting , 2007, ESORICS.

[80]  Bhavani M. Thuraisingham,et al.  Rule-Based Run-Time Information Flow Control in Service Cloud , 2011, 2011 IEEE International Conference on Web Services.

[81]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[82]  Mira Mezini,et al.  AO4BPEL: An Aspect-oriented Extension to BPEL , 2007, World Wide Web.

[83]  K. Dudzinski,et al.  Exact methods for the knapsack problem and its generalizations , 1987 .