Semantics-Based Design for Secure Web Services

We outline a methodology for designing and composing services in a secure manner. In particular, we are concerned with safety properties of service behavior. Services can enforce security policies locally and can invoke other services that respect given security contracts. This call-by-contract mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how we can correctly plan service compositions in several relevant classes of services and security properties. With this aim, we propose a graphical modeling framework based on a foundational calculus called lambda req [13]. Our formalism features dynamic and static semantics, thus allowing for formal reasoning about systems. Static analysis and model checking techniques provide the designer with useful information to assess and fix possible vulnerabilities.

[1]  Mike P. Papazoglou,et al.  Introduction: Service-oriented computing , 2003, CACM.

[2]  Gian Luigi Ferrari,et al.  Planning and verifying service composition , 2009, J. Comput. Secur..

[3]  Gian Luigi Ferrari,et al.  History-Based Access Control with Local Policies , 2005, FoSSaCS.

[4]  Roberto Gorrieri,et al.  SOCK : A calculus for service oriented computing , 2006 .

[5]  Mike P. Papazoglou,et al.  Introduction to the Special Issue on Service-Oriented Computing , 2003 .

[6]  Marko C. J. D. van Eekelen,et al.  Term Graph Rewriting , 1987, PARLE.

[7]  Thomas Beth,et al.  Trust relationships in secure systems-a distributed authentication perspective , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Marco Carbone,et al.  Structured Global Programming for Communication Behaviour , 2006 .

[9]  Priya Narasimhan,et al.  Special Issue Service-Oriented Computing , 2008 .

[10]  Gian Luigi Ferrari,et al.  Security Issues in Service Composition , 2006, FMOODS.

[11]  Laura Bocchi,et al.  A Formal Approach to Service Component Architecture , 2006, WS-FM.

[12]  Massimo Bartoletti,et al.  Plans for service composition , 2006 .

[13]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[14]  V.V.S. Raveendra Inside java 2 platform security: architecture, API design and implementation [Book Review] , 2002, IEEE Software.

[15]  A. J. Nijman,et al.  PARLE Parallel Architectures and Languages Europe , 1987, Lecture Notes in Computer Science.

[16]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[17]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[18]  Scott F. Smith,et al.  History Effects and Verification , 2004, APLAS.

[19]  Jayadev Misra,et al.  A programming model for the orchestration of Web services , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[20]  Carlo Montangero,et al.  Barbed Model-Driven Software Development: A Case Study , 2008, Electron. Notes Theor. Comput. Sci..

[21]  Roberto Gorrieri,et al.  Choreography and Orchestration: A Synergic Approach for System Design , 2005, ICSOC.

[22]  Werner Vogels,et al.  Web Services Are Not Distributed Objects , 2003, Int. CMG Conference.

[23]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[24]  Shige Peng UDDI Technical White Paper , 2000 .

[25]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[26]  Andrea Maurino,et al.  NON-FUNCTIONAL PROPERTIES IN WEB SERVICES , 2006 .

[27]  Gian Luigi Ferrari,et al.  Enforcing secure service composition , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[28]  Roberto Gorrieri,et al.  Choreography and Orchestration Conformance for System Design , 2006, COORDINATION.

[29]  Nobuko Yoshida,et al.  Structured Communication-Centred Programming for Web Services , 2007, ESOP.

[30]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[31]  Francisco Curbera,et al.  Web Services Business Process Execution Language Version 2.0 , 2007 .

[32]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[33]  Andrew D. Gordon,et al.  Secure sessions for Web services , 2004, TSEC.

[34]  Francesco Tiezzi,et al.  A Calculus for Orchestration of Web Services , 2007, ESOP.

[35]  Gian Luigi Ferrari,et al.  JSCL: A Middleware for Service Coordination , 2006, FORTE.

[36]  Wil M. P. van der Aalst,et al.  Workflow Patterns , 2004, Distributed and Parallel Databases.

[37]  D. Box,et al.  Simple Object Access Protocol (SOAP) 1.1, W3C Note , 2000 .

[38]  Atsushi Igarashi,et al.  Resource usage analysis , 2002, POPL '02.

[39]  Gustavo Alonso,et al.  Web Services: Concepts, Architectures and Applications , 2009 .

[40]  Allan Clark,et al.  Semantic-Based Development of Service-Oriented Systems , 2006, FORTE.

[41]  Sebastián Uchitel,et al.  Model-based verification of Web service compositions , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[42]  Andrew D. Gordon,et al.  A semantics for web services authentication , 2004, Theor. Comput. Sci..

[43]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[44]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[45]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[46]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[47]  Roberto Bruni,et al.  Theoretical foundations for compensations in flow composition languages , 2005, POPL '05.

[48]  Mike P. Papazoglou,et al.  Service-oriented computing: concepts, characteristics and directions , 2003, Proceedings of the Fourth International Conference on Web Information Systems Engineering, 2003. WISE 2003..

[49]  大島 正嗣,et al.  Simple Object Access Protocol と,その応用としてのソフトウェアの組み合わせについて (渡邉昭夫教授退任記念号) , 2001 .

[50]  Gian Luigi Ferrari,et al.  Types and Effects for Resource Usage Analysis , 2007, FoSSaCS.

[51]  Michael Stal,et al.  Web services: beyond component-based computing , 2002, CACM.

[52]  Gian Luigi Ferrari,et al.  Types and effects for secure service orchestration , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[53]  Stefan Tai,et al.  The next step in Web services , 2003, CACM.

[54]  Roberto Bruni,et al.  SCC: A Service Centered Calculus , 2006, WS-FM.