Abstract
CaPiTo allows the modelling of service-oriented applications using process algebras at three levels of abstraction. The abstract level focuses on the key functionality of the services; the plug-in level shows how to obtain security using standardised protocol stacks; finally, the concrete level allows to consider how security is obtained using asymmetric and symmetric cryptographic primitives. The CaPiTo approach therefore caters for a variety of developers that need to cooperate on designing and implementing service-oriented applications. We show how to formally analyse CaPiTo specifications for ensuring the absence of security flaws. The method used is based on static analysis of the corresponding LySa specifications. We illustrate the development on two industrial case studies; one taken from the banking sector and the other a single sign-on protocol.
Similar content being viewed by others
References
Armando A, Carbone R, Compagna L, Cuellar J, Abad LT (2008) Formal analysis of SAML 2.0 Web browser single sign-on: breaking the SAML-based single sign-on for Google Apps. In: The 6th ACM workshop on formal methods in security engineering (FMSE 2008). Hilton Alexandria Mark Center, Virginia, USA. ACM Press
Abadi M, Gordon AD (1999) A calculus for cryptographic protocols: the spi calculus. Inf Comput 148(1): 1–70
Bodei C, Buchholtz M, Degano P, Nielson F, HR Nielson (2005) Static validation of security protocols. J Comput Secur 13: 347–390
Boreale M, Bruni R, Nicola R, Loreti M (2008) Sessions and pipelines for structured service programming. In: Proceedings of the 10th IFIP WG 6.1 international conference on formal methods for open object-based distributed systems, FMOODS ’08. Springer, Berlin, pp 19–38
Dierks T, Allen C (1999) The tls protocol version 1.0
Gao H (2008) Analysis of security protocols by annotations. PhD thesis, Technical University of Denmark
Gao H, Nielson F, Nielson HR (2011) Analysing protocol stacks for services. In: Rigorous software engineering for service-oriented systems. Springer LNCS (to appear)
Hughes J, Maler E (2004) Security assertion markup language (SAML) v1.1 technical overview. Technical report
Hansen SM, Skriver J, Nielson HR (2005) Using static analysis to validate the saml single sign-on protocol. In: Proceedings of the 2005 workshop on issues in the theory of security, WITS ’05, New York, NY, USA. ACM, pp 27–40
Leduc G, Germeau F (2000) Verification of security protocols using lotos—method and application. Comput Commun 23:2000
Liberty alliance project. http://www.projectliberty.org/
Lapadula A, Pugliese R, Tiezzi F (2007) A calculus for orchestration of web services. In: Proceedings of the 16th European conference on programming, ESOP’07. Springer, Berlin, pp 33–47
Milner R (1999) Communicating and mobile systems: the pgr;-calculus. Cambridge University Press, New York
Mödersheim S, Viganò L (2009) The open-source fixed-point model checker for symbolic analysis of security protocols. Springer, Berlin, pp 166–194
Nielsen CR, Alessandrini M, Pollmeier M, Nielson HR (2007) Formalising the S&N credit request. Technical report, Technical University of Denmark, Informatics and Mathematical Modelling, Technical University
Nielson HR, Nielson F, Pilegaard H (2011) Flow logic for process calculi. ACM Comput Surv (to appear)
Nielson F, Nielson HR, Seidl H (2002) A succinct solver for alfp. Nordic J Comput 9: 335–372
Organization for the advancement of structured information standards. http://www.oasis-open.org/home/index.php
O’Shea N. The elyjah project. http://homepages.inf.ed.ac.uk/s0237477/
Itu-t x.200 (07/94) the basic reference model (osi). http://www.cisco.com/en/US/docs/internetworking/technology/handbook/OSI-Protocols.html
Proverif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/
Reisig W (1985) Petri nets: an introduction. Springer, New York
Scyther tool. http://people.inf.ethz.ch/cremersc/scyther/
Sensoria project. http://sensoria.fast.de/
Shibboleth project. http://shibboleth.internet2.edu/index.html
Simple object access protocol (soap). http://www.w3.org/TR/#tr_SOAP
Stallings W (1999) Cryptography and network security, 2nd edn. Principles and practice. Prentice-Hall, Upper Saddle River
Oasis web services security (wss) tc. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
Author information
Authors and Affiliations
Corresponding author
Additional information
Jim Woodcock
Rights and permissions
About this article
Cite this article
Gao, H., Nielson, F. & Nielson, H.R. CaPiTo: protocol stacks for services. Form Asp Comp 23, 541–565 (2011). https://doi.org/10.1007/s00165-011-0174-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-011-0174-7