Multimedia Tools and Applications

, Volume 66, Issue 2, pp 283–302 | Cite as

Behavioral Attestation for Web Services using access policies

  • Masoom AlamEmail author
  • Xinwen Zhang
  • Mohammad Nauman
  • Tamleek Ali
  • Muhammad Ali
  • Sajid Anwar
  • Quratulain Alam


Service Oriented Architecture with underlying technologies like web services and web service orchestration opens new vistas for integration among business processes operating in heterogeneous environments. However, such dynamic collaborations require a highly secure environment at each respective business partner site. Existing web services standards address the issue of security only on the service provider platform. The partner platforms to which sensitive information is released have till now been neglected. Remote Attestation is a relatively new field of research which enables an authorized party to verify that a trusted environment actually exists on a partner platform. To incorporate this novel concept in to the web services realm, a new mechanism called WS-Attestation has been proposed. This mechanism provides a structural paradigm upon which more fine-grained solutions can be built. In this paper, we present a novel framework, Behavioral Attestation for Web Services, in which XACML is built on top of WS-Attestation in order to enable more flexible remote attestation at the web services level. We propose a new type of XACML policy called XACML behavior policy, which defines the expected behavior of a partner platform. Existing web service standards are used to incorporate remote attestation at the web services level and a prototype is presented, which implements XACML behavior policy using low-level attestation techniques.


Trusted computing Remote attestation Behavioral attestation Usage control Web services Delegation 


  1. 1.
    Alam M, Li Q, Zhang X, Seifert JP (2008) Usage control platformization via trustworthy selinux. In: ASIACCS’08: proceedings of the 2008 ACM symposium on information, computer and communications securityGoogle Scholar
  2. 2.
    Alam M, Seifert JP, Zhang X (2007) A model-driven framework for trusted computing based systems. In: EDOC ’07: proceedings of the 11th IEEE international enterprise distributed object computing conference. IEEE Computer Society, Washington, p 75CrossRefGoogle Scholar
  3. 3.
    Alam M, Zhang X, Nauman M, Ali T, Seifert J (2008) Model-based Behavioral Attestation. In: SACMAT ’08: proceedings of the thirteenth ACM symposium on access control models and technologies. ACM Press, New YorkGoogle Scholar
  4. 4.
    Anderson A, Lockhart H (2005) SAML 2.0 profile of XACML v2. 0. OASIS Standard, vol 1Google Scholar
  5. 5.
    Anderson S, Bohren J, Boubez T, Chanliau M, Della-Libera G, Dixon B, Garg P, Gudgin M, Hallam-Baker P, Hondo M, et al (2005) Web services trust language (ws-trust). Public draft release, Actional Corporation, BEA Systems, Computer Associates International, International Business Machines Corporation, Layer, vol 7Google Scholar
  6. 6.
    Atkinson B, Della-Libera G, Hada S, Hondo M, Hallam-Baker P, Klein J, LaMacchia B, Leach P, Manferdelli J, Maruyama H, et al (2002) Web Services Security (WS-Security). IBM developerWorks, Accessed 2002
  7. 7.
    Bajaj S, Box D, Chappell D, Curbera F, Daniels G, Hallam-Baker P, Hondo M, Kaler C, Langworthy D, Malhotra A, et al (2006) Web services policy framework (ws-policy). Version 1(2):2003–2006Google Scholar
  8. 8.
    Devices A (2005) AMD64 virtualization: secure virtual machine architecture reference manual. AMD Publication, vol 33047Google Scholar
  9. 9.
    Grawrock D (2005) The Intel safer computing initiative building blocks for trusted computing. Intel Press, Accessed 2005
  10. 10.
    IAIK (2005) Iaik: institute for applied information processing and communications, graz university of technology. Avaialable at: Accessed 2005
  11. 11.
    Jaeger T, Sailer R, Shankar U (2006) PRIMA: policy-reduced integrity measurement architecture. In: SACMAT ’06: proceedings of the eleventh ACM symposium on access control models and technologies. ACM Press, New York, pp 19–28. doi: 10.1145/1133058.1133063 CrossRefGoogle Scholar
  12. 12.
    Lorch M, Proctor S, Lepro R, Kafura D, Shah S (2003) First experiences using xacml for access control in distributed systems. In: XMLSEC ’03: proceedings of the 2003 ACM workshop on XML security. ACM, New York, pp 25–37. doi: 10.1145/968559.968563 CrossRefGoogle Scholar
  13. 13.
    Mayer F, MacMillan K, Caplan D (2006) SELinux by example: using security enhanced linux. Prentice HallGoogle Scholar
  14. 14.
    McCarty B (2004) SELinux: NSA’s open source security enhanced linux. O’Reilly Media, IncGoogle Scholar
  15. 15.
    Moses T, et al (2005) Extensible access control markup language (xacml) version 2.0. Oasis Standard, vol 200502Google Scholar
  16. 16.
    Nagarajan A, Varadharajan V, Hitchens M (2007) Trust management for trusted computing platforms in web services. In: STC 07: the second ACM workshop on scalable trusted computing, under ACM CCS 07. ACM, VirginiaGoogle Scholar
  17. 17.
    Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: SACMAT ’02: proceedings of the seventh ACM symposium on access control models and technologies. ACM Press, New York, pp 57–64. doi: 10.1145/507711.507722 CrossRefGoogle Scholar
  18. 18.
    Pearson S (2002) Trusted computing platforms: TCPA technology in context. Prentice Hall PTR, Upper Saddle RiverGoogle Scholar
  19. 19.
    Proctor S (2006) Sun’s XACML implementation APIs.
  20. 20.
    Sadeghi AR, Stüble C (2004) Property-based attestation for computing platforms: caring about properties, not mechanisms. In: NSPW ’04: proceedings of the 2004 workshop on new security paradigms. ACM Press, New York, pp 67–77. doi: 10.1145/1065907.1066038 Google Scholar
  21. 21.
    Safford D, Kravitz J, van Doorn L (2003) Take control of TCPA. Linux J 2003(112):2Google Scholar
  22. 22.
    Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a TCG-based integrity measurement architecture. In: SSYM’04: proceedings of the 13th conference on USENIX security symposium. USENIX Association, Berkeley, pp 16–16Google Scholar
  23. 23.
    Shi E, Perrig A, Doorn LV (2005) BIND: a fine-grained attestation service for secure distributed systems. In: SP ’05: proceedings of the 2005 IEEE symposium on security and privacy. IEEE Computer Society, Washington, pp 154–168.  10.1109/SP.2005.4 CrossRefGoogle Scholar
  24. 24.
    Song Z, Lee S, Masuoka R (2006) Trusted web service. In: The second workshop on advances in trusted computing (WATC06 Fall). Ivy Hall Aogaku Kaikan, Tokyo, JapanGoogle Scholar
  25. 25.
    TCG: Trusted computing group (2000) Available at: Accessed 2000
  26. 26.
    Trusted-Java: Jsr321: Trusted computing api for java(tm) (2009) Available at: Accessed 2009
  27. 27.
    Yoshihama S, Ebringer T, Nakamura M, Munetoh S, Mishina T, Maruyama H (2007) WS-attestation: enabling trusted computing on web services. Test and analysis of web services, pp 441–469Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Masoom Alam
    • 1
    Email author
  • Xinwen Zhang
    • 2
  • Mohammad Nauman
    • 1
  • Tamleek Ali
    • 1
  • Muhammad Ali
    • 1
  • Sajid Anwar
    • 1
  • Quratulain Alam
    • 1
  1. 1.Security Engineering Research Group (SERG)Institute of Management Sciences (IMSciences)HayatabadPakistan
  2. 2.Huawei Research CenterSanta ClaraUSA

Personalised recommendations