Security Issues in Service Composition

  • Massimo Bartoletti
  • Pierpaolo Degano
  • Gian Luigi Ferrari
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4037)


We use a distributed, enriched λ-calculus for describing networks of services. Both services and their clients can protect themselves, by imposing security constraints on each other’s behaviour. Then, service interaction results in a call-by-property mechanism, that matches the client requests with service’s. A static approach is also described, that determines how to compose services while guaranteeing that their execution is always secure, without resorting to any dynamic check.


Service Composition Security Policy Service Request Service Selection Billing Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Fournet, C.: Access control based on execution history. In: Proc. 10th Annual Network and Distributed System Security Symposium (2003)Google Scholar
  2. 2.
    Akkiraju, R., et al.: Web Service Semantics. WSDL-S technical note (version 1.0) (2005)Google Scholar
  3. 3.
    Alonso, G., Casati, F., Kuno, H., Machiraju, V.: Web Services: Concepts, Architectures and Applications. Springer, Heidelberg (2004)CrossRefMATHGoogle Scholar
  4. 4.
    Anderson, S., et al.: Web Services Trust Language (WS-Trust) (2005)Google Scholar
  5. 5.
    Andrews, T., et al.: Business Process Execution Language for Web Services (BPEL4WS), Version 1.1 (2003)Google Scholar
  6. 6.
    Atkinson, B., et al.: Web Services Security (WS-Security) (2002)Google Scholar
  7. 7.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Enforcing secure service composition. In: Proc. 18th Computer Security Foundations Workshop (CSFW) (2005)Google Scholar
  8. 8.
    Bartoletti, M., Degano, P., Ferrari, G.L.: History based access control with local policies. In: Proc. Fossacs (2005)Google Scholar
  9. 9.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Plans for service composition. In: Workshop on Issues in the Theory of Security (WITS) (2006)Google Scholar
  10. 10.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Types and effects for secure service orchestration. In: Proc. 19th Computer Security Foundations Workshop (CSFW) (to appear, 2006)Google Scholar
  11. 11.
    Bhargavan, K., Corin, R., Fournet, C., Gordon, A.D.: Secure sessions for web services. In: Proc. ACM Workshop on Secure Web Services (2004)Google Scholar
  12. 12.
    Bhargavan, K., Fournet, C., Gordon, A.D.: A semantics for web services authentication. In: Proc. ACM Symposium on Principles of Programming Languages (2004)Google Scholar
  13. 13.
    Bonelli, E., Compagnoni, A., Gunter, E.: Typechecking safe process synchronization. In: Proc. Foundations of Global Ubiquitous Computing (2004)Google Scholar
  14. 14.
    Box, D., et al.: Simple Object Access Protocol (SOAP) 1.1. WRC Note (2000)Google Scholar
  15. 15.
    Box, D., et al.: Web Services Policy Framework (WS-Policy) (2002)Google Scholar
  16. 16.
    Brogi, A., Canal, C., Pimentel, E.: Behavioural types and component adaptation. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, pp. 42–56. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Brogi, A., Popescu, R.: Towards semi-automated workflow-based aggregation of web services. In: Benatallah, B., Casati, F., Traverso, P. (eds.) ICSOC 2005. LNCS, vol. 3826, pp. 214–227. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Chinnici, R., Gudgina, M., Moreau, J., Weerawarana, S.: Web Service Description Language (WSDL), Version 1.2 (2002)Google Scholar
  19. 19.
    Curbera, F., Khalaf, R., Mukhi, N., Tai, S., Weerawarane, S.: The next step in web services. Communications of the ACM 46(10) (2003)Google Scholar
  20. 20.
    Esparza, J.: On the decidability of model checking for several μ-calculi and Petri nets. In: Proc. 19th Int. Colloquium on Trees in Algebra and Programming (1994)Google Scholar
  21. 21.
    Gifford, D.K., Lucassen, J.M.: Integrating functional and imperative programming. In: ACM Conference on LISP and Functional Programming (1986)Google Scholar
  22. 22.
    Gordon, A., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. In: Proc. IEEE Computer Security Foundations Workshop (2002)Google Scholar
  23. 23.
    Gorla, D., Hennessy, M., Sassone, V.: Security policies as membranes in systems for global computing. In: Proc. FGUC (2004)Google Scholar
  24. 24.
    Honda, K., Vansconcelos, V., Kubo, M.: Language primitives and type discipline for structures communication-based programming. In: Hankin, C. (ed.) ESOP 1998 and ETAPS 1998. LNCS, vol. 1381, Springer, Heidelberg (1998)CrossRefGoogle Scholar
  25. 25.
    Khalaf, R., Mukhi, N., Weerawarana, S.: Service oriented composition in BPEL4WS. In: Proc. WWW (2003)Google Scholar
  26. 26.
    Lazovik, A., Aiello, M., Gennari, R.: Encoding requests to web service compositions as constraints. In: van Beek, P. (ed.) CP 2005. LNCS, vol. 3709, pp. 782–786. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Mokhtar, S.B., Georgantas, N., Issarny, V.: Ad hoc composition of user tasks in pervasive computing environment. In: Software Composition (2005)Google Scholar
  28. 28.
    Nielson, F., Nielson, H.R.: Type and effect systems. In: Correct System Design (1999)Google Scholar
  29. 29.
    Paolucci, M., Kawamura, T., Payne, T., Sycara, K.: Semantic matchmaking of web services capabilities. In: First International Semantic Web Conference on The Semantic Web (2002)Google Scholar
  30. 30.
    Papazoglou, M.P.: Service-oriented computing: Concepts, characteristics and directions. In: WISE (2003)Google Scholar
  31. 31.
    Papazouglou, M., Georgakopoulos, D.: Special issue on service oriented computing. Communications of the ACM 46(10) (2003)Google Scholar
  32. 32.
    Rajasekaran, P., Miller, J.A., Verma, K., Sheth, A.P.: Enhancing web services description and discovery to facilitate composition. In: Semantic Web Services and Web Process Composition (2005)Google Scholar
  33. 33.
    Sewell, P., Vitek, J.: Secure composition of untrusted code: box-π, wrappers and causality types. Journal of Computer Security 11(2) (2003)Google Scholar
  34. 34.
    Stal, M.: Web services: Beyond component-based computing. Communications of the ACM 55(10) (2002)Google Scholar
  35. 35.
    Talpin, J.-P., Jouvelot, P.: The type and effect discipline. Information and Computation 2(111) (1994)Google Scholar
  36. 36.
    Traverso, P., Pistore, M.: Automated composition of semantic web services into executable processes. In: McIlraith, S.A., Plexousakis, D., van Harmelen, F. (eds.) ISWC 2004. LNCS, vol. 3298, pp. 380–394. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  37. 37.
    Vallecillo, A., Vansconcelos, V., Ravara, A.: Typing the behaviours of objects and components using session types. In: Proc. of FOCLASA (2002)Google Scholar
  38. 38.
    Vogels, W.: Web services are not distributed objects. IEEE Internet Computing 7(6) (2003)Google Scholar
  39. 39.
    W3C. UDDI Technical White Paper (2000)Google Scholar
  40. 40.
    Woo, T., Lam, S.: A semantic model for authentication protocols. In: IEEE Symposium on Security and Privacy (1993)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Massimo Bartoletti
    • 1
  • Pierpaolo Degano
    • 1
  • Gian Luigi Ferrari
    • 1
  1. 1.Dipartimento di InformaticaUniversità di PisaItaly

Personalised recommendations