Tisa : Towards Trustworthy Services in a Service-oriented Architecture

Verifying whether a service implementation is conforming to its service-level agreements is important to inspire confidence in services in a service-oriented architecture. A part of these agreements, in particular those that are functional in nature, can be checked by observing the published interface of the service, but other agreements that are more non-functional in nature, are often verified by deploying a monitor that observes the execution of the service implementation. A key problem is that such a monitor must execute in an untrusted environment (at the service provider’s site). Thus, integrity of the results reported by such a monitor crucially depends on its integrity. The key technical contribution of this article is an extension of the traditional notion of a service-oriented architecture that allows clients, brokers and providers to negotiate and validate the integrity of a requirements monitor. We describe an approach, based on hardware-based root of trust, for verifying the integrity of a requirements monitor executing in an untrusted environment. We make two basic claims: first, that it is feasible to realize our approach using existing hardware and software solutions, and second, that integrity verification can be done at a relatively small overhead. To evaluate our feasibility claim, we present a realization of our approach using a commercial requirements monitor. To measure overhead, we have conducted a case study using a collection of web service implementations available with Apache Axis

[1]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[2]  Michiharu Kudo,et al.  Layering negotiations for flexible attestation , 2006, STC '06.

[3]  Michael Franz,et al.  Symmetric behavior-based trust: a new paradigm for internet computing , 2004, NSPW '04.

[4]  Gary T. Leavens,et al.  Reconciling Trust and Modularity Goals in Web Services , 2009 .

[5]  Wuu Yang,et al.  The Semantics of Program Slicing and Program Integration , 1989, TAPSOFT, Vol.2.

[6]  Ahmad-Reza Sadeghi,et al.  Taming "Trusted Platforms" by Operating System Design , 2003, WISA.

[7]  Hridesh Rajan,et al.  Monitoring the monitor: an approach towards trustworthiness in service oriented architecture , 2007, IW-SOSWE '07.

[8]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984, SDE 1.

[9]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[10]  Nataraj Nagaratnam,et al.  Web Services Security ( WS-Security ) Version 1 . 0 05 April 2002 , 2002 .

[11]  Luciano Baresi,et al.  Smart monitors for composed services , 2004, ICSOC '04.

[12]  Sebastián Uchitel,et al.  Monitoring and control in scenario-based requirements analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[13]  Tim Ebringer,et al.  WS-attestation: efficient and fine-grained remote attestation on Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[14]  M.S. Feather,et al.  Reconciling system requirements and runtime behavior , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[15]  Fabio Casati,et al.  Managing Impacts of Security Protocol Changes in Service-Oriented Applications , 2007, 29th International Conference on Software Engineering (ICSE'07).

[16]  Athman Bouguettaya,et al.  Preserving privacy in web services , 2002, WIDM '02.

[17]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[18]  Calton Pu,et al.  Resilient trust management for Web service integration , 2005, IEEE International Conference on Web Services (ICWS'05).

[19]  Junichi Suzuki,et al.  Modeling Non-Functional Aspects in Service Oriented Architecture , 2006, 2006 IEEE International Conference on Services Computing (SCC'06).

[20]  Andrew D. Gordon,et al.  Validating a web service security abstraction by typing , 2002, XMLSEC '02.

[21]  John Hatcliff,et al.  Kaveri: Delivering the Indus Java Program Slicer to Eclipse , 2005, FASE.

[22]  Mike P. Papazoglou,et al.  Service oriented computing : Introduction , 2003 .

[23]  Martin S. Feather,et al.  Requirements monitoring in dynamic environments , 1995, Proceedings of 1995 IEEE International Symposium on Requirements Engineering (RE'95).

[24]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[25]  John Zic,et al.  Expressing and Reasoning about Service Contracts in Service-Oriented Computing , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[26]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[27]  Stephan Merz,et al.  Model Checking , 2000 .

[28]  Marco Pistore,et al.  Run-Time Monitoring of Instances and Classes of Web Service Compositions , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[29]  Gerardo Canfora,et al.  Testing services and service-centric systems: challenges and opportunities , 2006, IT Professional.

[30]  Erik Christensen,et al.  WSDL: Web Service Description Language , 2001 .

[31]  George Spanoudakis,et al.  Run-time monitoring of requirements for systems composed of Web-services: initial implementation and evaluation experience , 2005, IEEE International Conference on Web Services (ICWS'05).

[32]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[33]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[34]  R. Sailer,et al.  The Role of TPM in Enterprise Security , 2004 .

[35]  William N. Robinson,et al.  Monitoring software requirements using instrumented code , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.