A Robust Framework for Securing Composed Web Services

  • Najah Ben Said
  • Takoua Abdellatif
  • Saddek Bensalem
  • Marius Bozga
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9539)


This paper proposes a framework that automatically checks and configures data security in Web Services starting from high level business requirements. We consider BPEL-based composed Web Services. BPEL processes and initial security parameters are represented as component-based models labeled with security annotations. These models are formal and enable automated analysis and synthesis of security configurations, under the guidance of the service designer. The security property considered is the non-interference. The overall approach is practical since security is defined separately from functional processes and automatically verified. We illustrate its utility to solve intricate security problems using a smart grid application.


Component-based systems Information flow security Non-interference Dependency flow graph Automated verification 


  1. 1.
    Walsh, A.: UDDI, SOAP, and WSDL: The Web Services Specification Reference Book. Prentice Hall, Upper Saddle River (2002)Google Scholar
  2. 2.
    Juric, M.B.: Business Process Execution Language for Web Services BPEL and BPEL4WS, 2nd edn. Packt Publishing, Birmingham (2006)Google Scholar
  3. 3.
    Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Securing SOAP e-services. Int. J. Inf. Secur. 1(2), 100–115 (2002)zbMATHCrossRefGoogle Scholar
  4. 4.
    Della-Libera, G., Gudgin, M., Hallam-Baker, P., Hondo, M., Granqvist, H., Kaler, C., Maruyama, H., McIntosh, M., Nadalin, A., Nagaratnam, N., Philpott, R., Prafullchandra, H., Shewchuk, J., Walter, D., Zolfonoon, R.: Web services security policy language (WS-SECURITYPOLICY). Technical report (2005)Google Scholar
  5. 5.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  6. 6.
    Bozga, M., Ben Said, N., Abdellatif, T., Bensalem, S.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) From Programs to Systems. LNCS, vol. 8415, pp. 1–20. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. Technical report TR-2013-7, VERIMAG.
  8. 8.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies. Technical report CSL-92-2, SRI International (1992)Google Scholar
  9. 9.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)CrossRefGoogle Scholar
  10. 10.
    Andrews, T., Curbera, F., Dholakia, H., Goland, Y., Klein, J., Leymann, F., Liu, K., Roller, D., Smith, D., Thatte, S., Trickovic, I., Weerawarana, S.: BPEL4WS, Business Process Execution Language for Web Services Version 1.1. IBM (2003)Google Scholar
  11. 11.
    Stachtiari, E., Mentis, A., Katsaros, P.: Rigorous analysis of service composability by embedding WS-BPEL into the BIP component framework. In: 2012 IEEE 19th International Conference on Web Services, pp. 319–326 (2012)Google Scholar
  12. 12.
    Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, M., Nguyen, T.H., Sifakis, J.: Rigorous component-based design using the BIP framework. IEEE Softw. 28(3), 41–48 (2011). Special Edition - Software Components beyond Programming - from Routines to ServicesCrossRefGoogle Scholar
  13. 13.
    Koss, D., Sellmayr, F., Bauereiss, S., Bytschkow, D., Gupta, P., Schaetz, B.: Establishing a smart grid node architecture and demonstrator in an office environment using the SOA approach. In: First International Workshop on Software Engineering Challenges for the Smart Grid, SE4SG, pp. 8–14 (2012)Google Scholar
  14. 14.
    Corporation., I.B.M.: Using BPEL processes in WebSphere Business Integration Server Foundation. IBM, International Technical Support Organization (2004)Google Scholar
  15. 15.
    Microsoft Development network.
  16. 16.
    Tatsubori, M., Imamura, T., Nakamura, Y.: Best-practice patterns and tool support for configuring secure web services messaging. In: IEEE International Conference on Web Services (ICWS 2004), pp. 244–251 (2004)Google Scholar
  17. 17.
    Busi, N., Gorrieri, R.: A survey on non-interference with petri nets. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098, pp. 328–344. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Math. Struct. Comput. Sci. 19(6), 1065–1090 (2009)zbMATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    Movahednejad, H., Ibrahim, S.B., Sharifi, M., Selamat, H.B., Tabatabaei, S.G.H.: Security-aware web service composition approaches: State-of-the-art. In: 13th International Conference on Information Integration and Web-based Applications and Services, iiWAS 2011, pp. 112–121. ACM (2011)Google Scholar
  20. 20.
    She, W., Yen, I., Thuraisingham, B.M.: Enhancing security modeling for web services using delegation and pass-on. Int. J. Web Service Res. 7(1), 1–21 (2010)CrossRefGoogle Scholar
  21. 21.
    Demongeot, T., Totel, E., Traon, Y.L.: Preventing data leakage in service orchestration. In: 7th International Conference on Information Assurance and Security, IAS 2011, pp. 122–127 (2011)Google Scholar
  22. 22.
    Zorgati, H., Abdellatif, T.: Sewsec:a secure web service composer using information flow control. In: Sixth International Conference on Risks and Security of Internet and Systems, CRiSIS 2011, pp. 62–69 (2011)Google Scholar
  23. 23.
    Abdellatif, T., Sfaxi, L., Robbana, R., Lakhnech, Y.: Automating information flow control in component-based distributed systems. In: 14th International ACM Sigsoft Symposium on Component Based Software Engineering, CBSE 2011, pp. 73–82. ACM (2011)Google Scholar
  24. 24.
    Reinhartz-Berger, I., Sturm, A., Clark, T., Cohen, S., Bettin, J. (eds.): Domain Engineering, Product Lines, Languages, and Conceptual Models. Springer, New York (2013)Google Scholar
  25. 25.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 43–59 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Najah Ben Said
    • 1
  • Takoua Abdellatif
    • 3
  • Saddek Bensalem
    • 1
  • Marius Bozga
    • 2
  1. 1.University Grenoble Alpes, VERIMAGGrenobleFrance
  2. 2.CNRSVERIMAGGrenobleFrance
  3. 3.Tunisia Polytechnic SchoolUniversity of CarthageTunisTunisia

Personalised recommendations