Abstract
An Active XML (AXML in short) has been developed to provide efficient data management and integration by allowing Web services calls to be embedded in XML document. AXML documents have new security issues due to the possibility of malicious documents and attackers. To solve this security problem, document-level security with embedded service calls has been proposed to overcome the limitation of traditional security protocols.
The aim of this paper is to show how existing model checking technique, with CSP and FDR, used for traditional message-based security protocols, can be adapted to specify and verify AXML document-based security. To illustrate our approach, we present the framework for modelling and analyzing AXML document’s security. Then, we demonstrate how this technique can be applied to analyze electronic patient record taken from [13]. Finally, we show the possible vulnerabilities due to delegated query and malicious service call.
This work is supported by the INRIA projects ARC-ASAX and RNRT-SWAN.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abiteboul, S., Benjelloun, O., Cautis, B., Manolescu, I., Milo, T., Preda, N.: Lazy Query Evaluation for Active XML. In: Proceedings of ACM SIGMOD Conference, pp. 227–238 (2004)
Abiteboul, S., Manolescu, I., Taropa, F.: A Framework for Distributed XML Data Management. In: Ioannidis, Y., Scholl, M.H., Schmidt, J.W., Matthes, F., Hatzopoulos, M., Böhm, K., Kemper, A., Grust, T., Böhm, C. (eds.) EDBT 2006. LNCS, vol. 3896, pp. 1049–1058. Springer, Heidelberg (2006)
Active XML Home Page (AXML) (2004), http://activexml.net
Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A security tool for web services. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 197–222. Springer, Heidelberg (2004)
Abiteboul, S., Alexe, B., Benjelloun, O., Cautis, B., Fundulaki, I., Milo, T., Sahuguet, A.: An Electronic Patient Record on Steroids: Distributed, Peer-to-Peer, Secure and Privacy-conscious. In: Proceedings of the 30th VLDB Conference, pp. 1273–1276 (2004)
Abiteboul, S., Benjelloun, O., Cautis, B., Milo, T.: Active XML, Security and Access Control. In: Proceedings of the SBBD Workshop, pp. 13–22 (2004)
Eastlake, D., Reagle, J., Imamura, T., Dillaway, B., Simon, E.: XML-Encryption synatx and Proceeding, W3C Recommendation (2001)
Eastlake, D., Reagle, J., Solo, D., Bartel, M., Boyer, J., Fox, B., LaMacchia, B., Simon, E.: XML-Signature Syntax and Processing, W3C Recommendation (2002)
Hoare, C.A.R.: Communicating Sequential Processes (1985)
Hui, M.L., Lowe, G.: Fault-preserving Simplifying Transformations for Security Protocols. Journal of Computer Security 9(1/2), 3–46 (2001)
Formal Systems (Europe) Ltd. FDR2 User Manual (August 1999)
IBM, Microsoft, and VeriSign, Web Services Security(WS-Security), Version 1.0 (April 2002)
Kim, I.G., Biswa, D.: Secure Data Management based on AXML Document: Electronic Patient Record (submitted, 2006)
Kleiner, E., Roscoe, A.W.: Web Services Security: a preliminary study using Casper and FDR. In: Proceedings of Automated Reasoning for Security Protocol Analysis (ARSPA 2004) (2004)
Kleiner, E., Roscoe, A.W.: On the Relationship between Web Services Security and Traditional Protocols. In: DIMACS Workshop on Security of Web Services and E-Commerce (2005)
Tobarra, L., Cazorla, D., Cuartero, F., Diaz, G.: Applicatoin of Formal Methods to the Analysis of Web Services Security. In: 2nd International Workshop on Web Services and Formal Methods, pp. 215–229 (2005)
Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)
Lowe, G.: A Compiler for the Analysis of Security Protocols. In: Proceedings of the 10th Computer Security Foundations Workshop (1997)
Microsoft, Microsoft Web Services Enhancements (WSE) 2.0, In: Proceedings of ACM SIGMOD, pp.289-300 (2003), http://msdn.microsoft.com/webservices/building/wse
Ryan, P.Y.A., Schneider, S.A.: Modelling and Analysis of Security Protocols: The CSP Approach. Addison-Wesley, Reading (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, IG., Biswas, D. (2006). Application of Model Checking to AXML System’s Security: A Case Study. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds) Web Services and Formal Methods. WS-FM 2006. Lecture Notes in Computer Science, vol 4184. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11841197_16
Download citation
DOI: https://doi.org/10.1007/11841197_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38862-3
Online ISBN: 978-3-540-38865-4
eBook Packages: Computer ScienceComputer Science (R0)