On the verification of security-aware E-services

Web services providing E-commerce capabilities to support business transactions over the Internet are more and more widespread. The development of such services involves several security issues ranging from authentication to the management of the access to shared resources according to a given business model. The capability of validating designs against fast evolving requirements is of paramount importance for the adaptation of business models to changing regulations and rapidly evolving market needs. So, techniques for the specification and automated analysis of web services to be used in security-sensitive applications are crucial in the development of these systems. In this paper, we propose an extension of the relational transducers introduced by Abiteboul, Vianu, Fordham, and Yesha for the specification of the transaction protocols of web services and their security properties. We investigate the decidability of relevant verification problems such as goal reachability (for the validation of use-case scenarios) and log validation (for detecting frauds) and provide sufficient conditions for their decidability. The extension we propose is two-fold. First, we add constraints to specify the algebraic structure of the resources manipulated by the transducers. Second, recursion is allowed (only) in policy rules to express important policy idioms such as delegation. Technically, decidability is obtained by a reduction to a decidable class of first-order formulae and fix-point computation to handle recursion.

[1]  Calogero G. Zarba,et al.  Combining Non-Stably Infinite Theories , 2003, FTP.

[2]  Christoph Weidenbach,et al.  Combining Superposition, Sorts and Splitting , 2001, Handbook of Automated Reasoning.

[3]  Nikolaj Bjørner,et al.  Deciding Effectively Propositional Logic Using DPLL and Substitution Sets , 2008, IJCAR.

[4]  Christoph Weidenbach,et al.  On the Saturation of YAGO , 2010, IJCAR.

[5]  David Toman Computing the Well-Founded Semantics for Constraint Extensions of Datalog , 1997, CDB.

[6]  Marc Spielmann,et al.  Verification of relational transducers for electronic commerce , 2003, J. Comput. Syst. Sci..

[7]  Sebastian Nanz,et al.  The Role of Abduction in Declarative Authorization Policies , 2008, PADL.

[8]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[9]  Holger Schlingloff,et al.  Modeling and Model Checking Web Services , 2005, LCMAS.

[10]  李幼升,et al.  Ph , 1989 .

[11]  Harald Ganzinger,et al.  Shostak Light , 2002, CADE.

[12]  Shriram Krishnamurthi,et al.  ASM Relational Transducer Security Policies , 2006 .

[13]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[14]  Jorge Lobo,et al.  Realizing Network Control Policies Using Distributed Action Plans , 2003, Journal of Network and Systems Management.

[15]  Alessandro Armando,et al.  Model Checking of Security-Sensitive Business Processes , 2009, Formal Aspects in Security and Trust.

[16]  Cesare Tinelli,et al.  Constraint Logic Programming over Unions of Constraint Theories , 1998, J. Funct. Log. Program..

[17]  Serge Abiteboul,et al.  Relational transducers for electronic commerce , 1998, J. Comput. Syst. Sci..

[18]  Yuri Gurevich,et al.  DKAL: Distributed-Knowledge Authorization Language , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Frank Plumpton Ramsey,et al.  On a Problem of Formal Logic , 1930 .

[21]  Marc Spielmann Verification of relational tranducers for electronic commerce , 2000, PODS '00.

[22]  Harald Ganzinger,et al.  Modular Proof Systems for Partial Functions with Weak Equality , 2004, IJCAR.

[23]  Calogero G. Zarba,et al.  Combining Nonstably Infinite Theories , 2005, Journal of Automated Reasoning.

[24]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[25]  Christoph Weidenbach,et al.  Superposition for Finite Domains , 2007 .

[26]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[27]  Moritz Y. Becker Cassandra: flexible trust management and its application to electronic health records , 2005 .

[28]  Jan Van den Bussche Constraint Databases, Queries, and Query Languages , 2000, Constraint Databases.

[29]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[30]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[31]  Silvio Ghilardi,et al.  Model-Theoretic Methods in Combined Constraint Satisfiability , 2004, Journal of Automated Reasoning.

[32]  Chen C. Chang,et al.  Model Theory: Third Edition (Dover Books On Mathematics) By C.C. Chang;H. Jerome Keisler;Mathematics , 1966 .