Information Flow Control to Secure Dynamic Web Service Composition

  • Dieter Hutter
  • Melanie Volkamer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3934)

Abstract

The vision of a landscape of heterogeneous web services deployed as encapsulated business software assets in the Internet is currently becoming a reality as part of the Semantic Web. When pro-active agents handle the context-aware discovery, acquisition, composition, and management of application services and data, ensuring the security of customers’ data becomes a principle task. To dynamically compose its offered service, an agent has to process and spread confidential data to other web services demanding the required degree of security. In this paper we propose a methodology based on type-based information flow to control the security of dynamically computed data and their proliferation to other web services.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Baader, F., Horrocks, I., Sattler, U.: Description logics as ontology languages for the semantic web. In: Hutter, D., Stephan, W. (eds.) Mechanizing Mathematical Reasoning. LNCS (LNAI), vol. 2605, Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Bell, D.E., LaPadula, L.: Secure computer systems: Unified exposition and multics interpretation. Technical Report MTR-2997, MITRE (1976)Google Scholar
  3. 3.
    Benjamins, V.R., Plaza, E., Motta, E., Fensel, D., Studer, R., Wielinga, B., Schreiber, G., Zdrahal, Z.: Ibrow3 - an intelligent brokering service for knowledge-component reuse on the world wide web. In: 11th Knowledge Acquisition for Knowledge-Based System Workshop (KAW 1998) (1998)Google Scholar
  4. 4.
    Berners-Lee, T., Hendler, J.,, J., Lassila, O.: The semantic web, Scientific American (May 2001)Google Scholar
  5. 5.
    Bonatti, P.A., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)CrossRefGoogle Scholar
  6. 6.
    Bryson, J., Martin, D., McIlraith, S.I., Stein, L.A.: Agent-based composite services in DAML-S: The behavior-oriented design of an intelligent semantic web. In: Zhong, N., Liu, J., Lao, Y. (eds.) Web Intelligence, Springer, Heidelberg (2002)Google Scholar
  7. 7.
    DAML-S DARPA agent markup language for services, version 0.9, http://www.daml.org/services/daml-s/0.9/daml-s.html
  8. 8.
    Dulay, N., Damianou, N., Lupu, E., Sloman, M.: A policy language for the management of distributed agents. In: Agent Oriented Software Engineering, AOSE, pp. 84–100. Springer, Heidelberg (2001)Google Scholar
  9. 9.
    Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 11–20 (1982)Google Scholar
  10. 10.
    Goguen, J.A., Meseguer, J.: Inference Control and Unwinding. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 75–86 (1984)Google Scholar
  11. 11.
    IBM and Microsoft. Security in a Web Service World: A proposed architecture and roadmap (April 2002), www-106.ibm.com/developerworks/webservices/library/ws-secmap
  12. 12.
    Kagal, L., Finin, T., Joshi, A.: Trust based security for pervasive computing enviroments. IEEE Computer 24(12), 154–157 (2001)CrossRefGoogle Scholar
  13. 13.
    Kagal, L., Finin, T., Joshi, A.: Developing secure agent systems using delegation based trust management. In: Fischer, K., Hutter, D. (eds.) Security of Mobile MultiAgent Systems (SEMAS 2002) held at Autonomous Agents and MultiAgent Systems (AAMAS 2002) (2002)Google Scholar
  14. 14.
    Klusch, M., Gerber, A., Schmidt, M.: Semantic web service composition planning with owls-xplan. In: 1st Intl. AAAI Fall Symposium on Agents and the Semantic Web (2005)Google Scholar
  15. 15.
    Lamanna, D.D., Skene, J., Emmerich, W.: Slang: A language for defining service level agreements. In: IEEE Workshop on Future Trends of Distributed Computing Systems, FTDCS, p. 100 (2003)Google Scholar
  16. 16.
    Mantel, H.: Possibilistic Definitions of Security – An Assembly Kit. In: Proceedings of the IEEE Computer Security Foundations Workshop, Cambridge, UK, pp. 185–199 (2000)Google Scholar
  17. 17.
    McLean, J.D.: Proving Noninterference and Functional Correctness using Traces. Journal of Computer Security 1(1), 37–57 (1992)CrossRefGoogle Scholar
  18. 18.
    McLean, J.D.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, Los Alamitos (1994)Google Scholar
  19. 19.
    OWL ontology web language, w3c standard technical recommendation (2003), http://www.w3.org/TR/,/WD-owl-ref-20030331/
  20. 20.
    Patwardhan, A., Korolev, V., Kagal, L., Joshi, A.: Enforcing policies in pervasive environments. In: MobiQuitous, pp. 299–308 (2004)Google Scholar
  21. 21.
    Peer, J.: Web service composition as ai planning - a survey. Technical report, University of St. Gallen (March 2005)Google Scholar
  22. 22.
    Ramchurn, S.D., Huynh, D., Jennings, N.R.: Trust in multi-agent systems. The Knowledge Engineering Review 19(1), 1–25 (2004)CrossRefGoogle Scholar
  23. 23.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (2003)Google Scholar
  24. 24.
    Sheshagiri, M., desJardins, M., Finin, T.: A planner for composing services described in DAML-S. In: Proceedings of AAMAS 2003 Workshop on Web Services and Agent-Based Engineering (2003)Google Scholar
  25. 25.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Conference Record of POPL 1998: The 25TH ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, California, pp. 355–364. New York, NY (1998)Google Scholar
  26. 26.
    Stufflebeam, W.H., Antón, A.I., He, Q., Jain, N.: Specifying privacy policies with p3p and epal: lessons learned. In: Workshop on Privacy in the Electronic Society, WPES, p. 35 (2004)Google Scholar
  27. 27.
    Uszok, A., Bradshaw, J.M., Jeffers, R., Tate, A., Dalton, J.: Applying kaos services to ensure policy compliance for semantic web services workflow composition and enactment. In: International Semantic Web Conference, pp. 425–440 (2004)Google Scholar
  28. 28.
    Volpano, D.M., Smith, G.: A sound type system for secure flow analysis. Journal of Computer Security 4(3), 167–187 (1996)CrossRefGoogle Scholar
  29. 29.
    Volpano, D.M., Smith, G.: A type-based approach to program security. In: TAPSOFT, pp. 607–621 (1997)Google Scholar
  30. 30.
    Waldinger, R.: Deductive composition of web software agents. In: Rash, J.L., Rouff, C.A., Truszkowski, W., Gordon, D.F., Hinchey, M.G. (eds.) FAABS 2000. LNCS (LNAI), vol. 1871, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Wu, D., Parsia, B., Sirin, E., Hendler, J., Nau, D.: Automating DAML-S web services composition using SHOP2. In: Proceedings of the 2nd International Semantic Web Conference (ISWC 2003), Sanibel Island, Florida, USA, October 2003, pp. 20–23 (2003)Google Scholar
  32. 32.
    Zakinthinos, A., Lee, E.S.: A General Theory of Security Properties. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 94–102 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Dieter Hutter
    • 1
  • Melanie Volkamer
    • 1
  1. 1.German Research Center for Artificial Intelligence (DFKI GmbH)SaarbrückenGermany

Personalised recommendations