Abstract
The cloud computing has provided customers with various services at its SaaS layer though, few work has been done on the security checking of messages exchanged between a customer and a service provider at SaaS so as to protect SaaS. In this paper we propose a validation model to investigate the SaaS security issue. Rather than installing a set of probes as we have done for the testing web services, in this model we introduce a validation service that plays the role of a firewall and protects our SaaS by verifying the correctness of messages with respect to a set of predefined security rules and forwarding them to their real destinations if they pass the verification or rejecting them otherwise. We develop a prototype model based on the tool known as RV4WS which was developed in our early study on web service runtime verification, as well as a checking engine RVEngine to verify our checking algorithm for the model. A survey on how to use this model for the services deployed on Google App Engine, Window Azure and Oracle Java Cloud Service is also presented.
Chapter PDF
Similar content being viewed by others
References
Introduction to cloud computing architecture. White Paper, Sun Microsystems, 1st edn. (June 2009)
Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the cloud? an architectural map of the cloud landscape. In: ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31 (2009)
Google app engine, http://code.google.com/appengine/
Window azure, http://www.windowsazure.com/en-us/
Oracle java cloud service, https://cloud.oracle.com/mycloud/f?p=service:java:0
Amazon s3, http://aws.amazon.com/s3/
Leucker, M., Schallhart, C.: A brief account of runtime verification. The Journal of Logic and Algebraic Programming 78(5), 193–303 (2009)
Cavalli, A., Benameur, A., Mallouli, W., Li, K.: A passive testing approach for security checking and its pratical usage for web services monitoring. In: NOTERE 2009, Montreal, Canada (2009)
Cao, T.D., Castanet, R., Felix, P., Chiew, K.: An approach to automated runtime verification for timed systems: Applications to web services. Journal of Software 7(6), 1338–1350 (2012)
Gruschka, N., Luttenberger, N.: Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Fischer-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments. IFIP, vol. 201, pp. 171–182. Springer, Boston (2006)
Salva, S., Laurencot, P., Rabhi, I.: An approach dedicated for web service security testing. In: 5th International Conference on Software Engineering Advances, Nice, France, August 22-27, pp. 494–500 (2010)
Morales, G., Maag, S., Cavalli, A., Mallouli, W., de Oca, E., Wehbi, B.: Timed extended invariants for the passive testing of web services. In: IEEE International Conference on Web Service, Miami, Florida, USA, pp. 592–599 (2010)
Chan, W., Mei, L., Zhang, Z.: Modeling and testing of cloud applications. In: IEEE Asia-Pacific Services Computing Conference, Singapore, December 7-11, pp. 111–118 (2009)
Endo, A.T., Simao, A.: Model-based testing of service-oriented applications via state models. In: IEEE International Conference on Services Computing, pp. 432–439 (2011)
Salva, S.: Passive testing with proxy tester. International Journal of Software Engineering and Its Applications 5(4), 1–16 (2011)
Using windows azure connect to integrate on-premises web services, http://msdn.microsoft.com/en-us/library/windowsazure/hh697512.aspx
Cao, T.D., Castanet, R., Felix, P., Morales, G.: Testing of web services: Tools and experiments. In: IEEE Asia-Pacific Services Computing Conference, Jeju, Korea, pp. 78–85 (December 2011)
Cao, T.D., Phan-Quang, T.T., Felix, P., Castanet, R.: Automated runtime verification for web services. In: IEEE International Conference on Web Services, Miami, Florida, USA, July 5-10, pp. 76–82 (2010)
Nguyen, K.D.: The development of a testing framework for web services. Master’s thesis, Poles Universitaire Française in Ho Chi Minh City (December 2010)
Cavalli, A., Gervy, C., Prokopenko, S.: New approaches for passive testing using an extended finite state machine specification. Information and Software Technology 45, 837–852 (2003)
Hampi: A solver for string constraints, http://people.csail.mit.edu/akiezun/hampi/index.html
Kaluza string solver, http://webblaze.cs.berkeley.edu/2010/kaluza/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cao, TD., Chiew, K. (2013). Protecting Software as a Service in the Clouds by Validation. In: Ghose, A., et al. Service-Oriented Computing - ICSOC 2012 Workshops. ICSOC 2012. Lecture Notes in Computer Science, vol 7759. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37804-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-37804-1_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37803-4
Online ISBN: 978-3-642-37804-1
eBook Packages: Computer ScienceComputer Science (R0)