Logic-based Management of Security in Web Services

The increasing use of the web as the platform for delivering business processes arises the need to protect both sensitive data exchanged over the Internet and the applications using these data. In this context, authentication, integrity and confidentiality of exchanged messages are requested during interactions between processes, and are commonly called WS* specifications. In this paper, we propose a formal specification of the above security requirements and the corresponding assertions in the exchanged messages, built on the XSB logic programming language. Our framework analyzes the generated models and verifies that incoming messages fulfill the security requirements of a web service. Furthermore, it verifies the compatibility between two policies, which is a significant condition in order to guarantee secure end-to-end SOAP invocations, and it is not currently supported by WS* specifications.

[1]  Elisa Bertino,et al.  Access control enforcement for conversation-based web services , 2006, WWW '06.

[2]  Luca Durante,et al.  Spi2Java: automatic cryptographic protocol Java code generation from spi calculus , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[3]  Michael Kifer,et al.  The XSB System Version 2.5 Volume 1: Programmer's Manual , 2003 .

[4]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[5]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[6]  Stephen Hailes,et al.  Supporting trust in virtual communities , 2000, Proceedings of the 33rd Annual Hawaii International Conference on System Sciences.

[7]  Andrew D. Gordon,et al.  Verifying policy-based security for web services , 2004, CCS '04.

[8]  Mira Mezini,et al.  Using aspects for security engineering of Web service compositions , 2005, IEEE International Conference on Web Services (ICWS'05).

[9]  Marianne Winslett,et al.  PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web , 2004, Secure Data Management.