Skip to main content
SpringerLink
Log in

A Robust Framework for Securing Composed Web Services

  • Conference paper
  • First Online:
Formal Aspects of Component Software (FACS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9539))

Included in the following conference series:

Abstract

This paper proposes a framework that automatically checks and configures data security in Web Services starting from high level business requirements. We consider BPEL-based composed Web Services. BPEL processes and initial security parameters are represented as component-based models labeled with security annotations. These models are formal and enable automated analysis and synthesis of security configurations, under the guidance of the service designer. The security property considered is the non-interference. The overall approach is practical since security is defined separately from functional processes and automatically verified. We illustrate its utility to solve intricate security problems using a smart grid application.

The research leading to these results has received funding from the European Community’s Seventh Framework Programme [FP7/2007-2013] under grant agreement ICT-318772 (D-MILS).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Walsh, A.: UDDI, SOAP, and WSDL: The Web Services Specification Reference Book. Prentice Hall, Upper Saddle River (2002)

    Google Scholar 

  2. Juric, M.B.: Business Process Execution Language for Web Services BPEL and BPEL4WS, 2nd edn. Packt Publishing, Birmingham (2006)

    Google Scholar 

  3. Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Securing SOAP e-services. Int. J. Inf. Secur. 1(2), 100–115 (2002)

    Article  MATH  Google Scholar 

  4. Della-Libera, G., Gudgin, M., Hallam-Baker, P., Hondo, M., Granqvist, H., Kaler, C., Maruyama, H., McIntosh, M., Nadalin, A., Nagaratnam, N., Philpott, R., Prafullchandra, H., Shewchuk, J., Walter, D., Zolfonoon, R.: Web services security policy language (WS-SECURITYPOLICY). Technical report (2005)

    Google Scholar 

  5. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)

    Google Scholar 

  6. Bozga, M., Ben Said, N., Abdellatif, T., Bensalem, S.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) From Programs to Systems. LNCS, vol. 8415, pp. 1–20. Springer, Heidelberg (2014)

    Google Scholar 

  7. Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. Technical report TR-2013-7, VERIMAG. http://www-verimag.imag.fr/TR/TR-2013-7.pdf

  8. Rushby, J.: Noninterference, transitivity, and channel-control security policies. Technical report CSL-92-2, SRI International (1992)

    Google Scholar 

  9. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)

    Article  Google Scholar 

  10. Andrews, T., Curbera, F., Dholakia, H., Goland, Y., Klein, J., Leymann, F., Liu, K., Roller, D., Smith, D., Thatte, S., Trickovic, I., Weerawarana, S.: BPEL4WS, Business Process Execution Language for Web Services Version 1.1. IBM (2003)

    Google Scholar 

  11. Stachtiari, E., Mentis, A., Katsaros, P.: Rigorous analysis of service composability by embedding WS-BPEL into the BIP component framework. In: 2012 IEEE 19th International Conference on Web Services, pp. 319–326 (2012)

    Google Scholar 

  12. Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, M., Nguyen, T.H., Sifakis, J.: Rigorous component-based design using the BIP framework. IEEE Softw. 28(3), 41–48 (2011). Special Edition - Software Components beyond Programming - from Routines to Services

    Article  Google Scholar 

  13. Koss, D., Sellmayr, F., Bauereiss, S., Bytschkow, D., Gupta, P., Schaetz, B.: Establishing a smart grid node architecture and demonstrator in an office environment using the SOA approach. In: First International Workshop on Software Engineering Challenges for the Smart Grid, SE4SG, pp. 8–14 (2012)

    Google Scholar 

  14. Corporation., I.B.M.: Using BPEL processes in WebSphere Business Integration Server Foundation. IBM, International Technical Support Organization (2004)

    Google Scholar 

  15. Microsoft Development network. http://msdn.microsoft.com/

  16. Tatsubori, M., Imamura, T., Nakamura, Y.: Best-practice patterns and tool support for configuring secure web services messaging. In: IEEE International Conference on Web Services (ICWS 2004), pp. 244–251 (2004)

    Google Scholar 

  17. Busi, N., Gorrieri, R.: A survey on non-interference with petri nets. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098, pp. 328–344. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  18. Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Math. Struct. Comput. Sci. 19(6), 1065–1090 (2009)

    Article  MATH  MathSciNet  Google Scholar 

  19. Movahednejad, H., Ibrahim, S.B., Sharifi, M., Selamat, H.B., Tabatabaei, S.G.H.: Security-aware web service composition approaches: State-of-the-art. In: 13th International Conference on Information Integration and Web-based Applications and Services, iiWAS 2011, pp. 112–121. ACM (2011)

    Google Scholar 

  20. She, W., Yen, I., Thuraisingham, B.M.: Enhancing security modeling for web services using delegation and pass-on. Int. J. Web Service Res. 7(1), 1–21 (2010)

    Article  Google Scholar 

  21. Demongeot, T., Totel, E., Traon, Y.L.: Preventing data leakage in service orchestration. In: 7th International Conference on Information Assurance and Security, IAS 2011, pp. 122–127 (2011)

    Google Scholar 

  22. Zorgati, H., Abdellatif, T.: Sewsec:a secure web service composer using information flow control. In: Sixth International Conference on Risks and Security of Internet and Systems, CRiSIS 2011, pp. 62–69 (2011)

    Google Scholar 

  23. Abdellatif, T., Sfaxi, L., Robbana, R., Lakhnech, Y.: Automating information flow control in component-based distributed systems. In: 14th International ACM Sigsoft Symposium on Component Based Software Engineering, CBSE 2011, pp. 73–82. ACM (2011)

    Google Scholar 

  24. Reinhartz-Berger, I., Sturm, A., Clark, T., Cohen, S., Bettin, J. (eds.): Domain Engineering, Product Lines, Languages, and Conceptual Models. Springer, New York (2013)

    Google Scholar 

  25. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 43–59 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University Grenoble Alpes, VERIMAG, 38000, Grenoble, France

    Najah Ben Said & Saddek Bensalem

  2. CNRS, VERIMAG, 38000, Grenoble, France

    Marius Bozga

  3. Tunisia Polytechnic School, University of Carthage, Tunis, Tunisia

    Takoua Abdellatif

Authors
  1. Najah Ben Said
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Takoua Abdellatif
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Saddek Bensalem
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marius Bozga
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marius Bozga .

Editor information

Editors and Affiliations

  1. Universidade Federal Fluminense, Niterói, Brazil

    Christiano Braga

  2. University of Oslo, Oslo, Norway

    Peter Csaba Ölveczky

Appendix

Appendix

Figure 7 shows a transformation of the SMG process of the smart grid system given as BPEL workflow, into an atomic component. The behavior of the atomic component represents the activities given in the BPEL process.

Fig. 7.
figure 7

Translation of the SMG component

Full size image

The designer input configuration file includes an acts_for relation as well as some annotated variables. Here we presented an example of a configuration file of the smart grid system. In this xml file we define \(\langle \) authority \(/\rangle \) to different system components representing the acts_for relation. Moreover, we specify by \(\langle \) var_config \(/\rangle \) the annotations of variables from different atomic components (processes).

figure d

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M. (2016). A Robust Framework for Securing Composed Web Services. In: Braga, C., Ölveczky, P. (eds) Formal Aspects of Component Software. FACS 2015. Lecture Notes in Computer Science(), vol 9539. Springer, Cham. https://doi.org/10.1007/978-3-319-28934-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-28934-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-28933-5

  • Online ISBN: 978-3-319-28934-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation