Advertisement

On the Security Expressiveness of REST-Based API Definition Languages

  • Hoai Viet NguyenEmail author
  • Jan Tolsdorf
  • Luigi Lo Iacono
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10442)

Abstract

Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.

Keywords

REST Service description language Security REST-Security 

References

  1. 1.
    Erl, T.: SOA Principles of Service Design (The Prentice Hall Service-Oriented Computing Series from Thomas Erl). Prentice Hall PTR, Upper Saddle River (2007)Google Scholar
  2. 2.
    Leymann, F., Roller, D., Schmidt, M.T.: Web services and business process management. IBM Syst. J. 41(2), 198–211 (2002)CrossRefGoogle Scholar
  3. 3.
    Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework (2nd edn.). W3C Recommendation, W3C (2007). http://www.w3.org/TR/soap.12-part1/
  4. 4.
    Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Services Description Language (WSDL) 1.1. W3C Note, W3C (2000). http://www.w3.org/TR/2001/NOTE-wsdl-20010315
  5. 5.
    Nadalin, A., Goodner, M., Gudgin, M., Turner, D., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.3. Standard, OASIS (2012)Google Scholar
  6. 6.
    Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000)Google Scholar
  7. 7.
    Sun, S.T., Beznosov, K.: the devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: 19th ACM Conference on Computer and Communications Security (CSS) (2012)Google Scholar
  8. 8.
    Hardt, D.: The OAuth 2.0 Authorization Framework. RFC, IETF (2012). https://tools.ietf.org/html/rfc6749
  9. 9.
    Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - a vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014). http://www.w3.org/TR/html5/
  10. 10.
    Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0 (5th edn.). Recommendation, W3C (2008). http://www.w3.org/TR/2008/REC-xml-20081126
  11. 11.
    Bray, T.: The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7189, IETF. https://tools.ietf.org/html/rfc7159
  12. 12.
    Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014). https://tools.ietf.org/html/rfc7252
  13. 13.
    Lo Iacono, L., Nguyen, H.V.: Towards conformance testing of REST-based web services. In: 11th International Conference on Web Information Systems and Technologies (WEBIST) (2015)Google Scholar
  14. 14.
    Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC, IETF (1999). https://tools.ietf.org/html/rfc2617
  15. 15.
    Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC, IETF (2010). https://tools.ietf.org/html/rfc5849
  16. 16.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014). http://openid.net/specs/openid-connect-core-1_0.html
  17. 17.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC, IETF (2008). http://tools.ietf.org/html/rfc5246
  18. 18.
    Lo Iacono, L., Nguyen, H.V.: Authentication scheme for REST. In: Doss, R., Piramuthu, S., Zhou, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 113–128. Springer, Cham (2015). doi: 10.1007/978-3-319-19210-9_8 CrossRefGoogle Scholar
  19. 19.
    Amazon: Signing AWS Requests By Using Signature Version 4 (2017). https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
  20. 20.
    Google: Migrating from Amazon S3 to Google Cloud Storage (2017). https://cloud.google.com/storage/docs/migrating
  21. 21.
    Hewlett Packard: HP Helion Public Cloud Object Storage API Specification (2014). https://docs.hpcloud.com/publiccloud/api/object-storage/
  22. 22.
    Microsoft: Authentication for the Azure Storage Services (2017). http://msdn.microsoft.com/en-us/library/dd179428.aspx
  23. 23.
    Chinnici, R., Moreau, J.J., Ryman, A., Weerawarana, S.: Web services description language (WSDL) version 2.0 part 1: core language. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-20070626
  24. 24.
    Lewis, A., Haas, H., Orchard, D., Weerawarana, S., Chinnici, R., Moreau, J.J.: Web Services Description Language (WSDL) Version 2.0 Part 2: Adjuncts. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-adjuncts-20070626
  25. 25.
    Verborgh, R., Harth, A., Maleshkova, M., Stadtmüller, S., Steiner, T., Taheriyan, M., Van de Walle, R.: Survey of semantic description of REST APIs. In: Pautasso, C., Wilde, E., Alarcon, R. (eds.) REST: Advanced Research Topics and Practical Applications, pp. 69–89. Springer, New York (2014). doi: 10.1007/978-1-4614-9299-3_5 CrossRefGoogle Scholar
  26. 26.
    Headley, M.: Web Application Description Language (WADL). W3C Member Submission, W3C (2009). http://www.w3.org/Submission/2009/SUBM-wadl-20090831
  27. 27.
    Robie, J., Cavicchio, R., Sinnema, R., Wilde, E.: RESTful service description language (RSDL): describing RESTful services without tight coupling. In: Balisage: The Markup Conference 2013, Montréal, Canada, 6–9 August 2013Google Scholar
  28. 28.
    Robie, J., Sinnema, R., Zhou, W.: RESTful API Description Language (2016). https://github.com/restful-api-description-language
  29. 29.
    Li, L., Chou, W.: Design and describe REST API without violating REST: a petri net based approach. In: 18th IEEE International Conference on Web Services (ICWS) (2011)Google Scholar
  30. 30.
    Open API Initiative: OpenAPI Specification (2016). https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md
  31. 31.
    SmartBear Software: Swagger Specification (2016). http://swagger.io/specification
  32. 32.
    Ben-Kiki, O., Evans, C., dot Net, I.: YAML Aint Markup Language Version 1.2. Technical report (2009). http://www.yaml.org/spec/1.2/spec.html
  33. 33.
    RAML: RAML Version 1.0: RESTful API Modeling Language (2016). https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/
  34. 34.
    API Blueprint: API Blueprint Specification (2016). https://apiblueprint.org/documentation/specification.html
  35. 35.
    Apiary Inc.: Markdown Syntax for Object Notation. Technical report (2016). https://github.com/apiaryio/mson
  36. 36.
    Leonard, S.: Guidance on Markdown: Design Philosophies, Stability Strategies, and Select Registrations. RFC, IETF (2016). https://tools.ietf.org/html/rfc7764
  37. 37.
    Handl, R., Jeyaraman, R., Pizzo, M., Zurmuehl, M.: OData Version 4.0. Part 1: Protocol Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html
  38. 38.
    Handl, R., Jeyaraman, R., Pizzo, M., Biamonte, M.: OData JSON Format Version 4.0 Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata-json-format/v4.0/odata-json-format-v4.0.html
  39. 39.
    Hartel, B., Jeyaraman, R., Zurmuehl, M., Pizzo, M., Handl, R.: OData Atom Format Version 4.0. OASIS Standard, OASIS (2013). https://docs.oasis-open.org/odata/odata-atom-format/v4.0/odata-atom-format-v4.0.html
  40. 40.
    TIBCA Software Inc.: I/O Docs community edition in Node.js. Technical report (2015). https://github.com/mashery/iodocs
  41. 41.
    Kopecký, J., Gomadam, K., Vitvar, T.: hRESTS: an HTML microformat for describing RESTful web services. In: IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT) (2008)Google Scholar
  42. 42.
    Adida, B., Birbeck, M., McCarron, S.: RDFa Core 1.1 - 3rd edn. W3C Recommendation, W3C (2015). http://www.w3.org/TR/2015/REC-rdfa-core-20150317
  43. 43.
    Maleshkova, M., Pedrinaci, C., Domingue, J., Alvaro, G., Martinez, I.: Using semantics for automating the authentication of web APIs. In: Patel-Schneider, P.F., Pan, Y., Hitzler, P., Mika, P., Zhang, L., Pan, J.Z., Horrocks, I., Glimm, B. (eds.) ISWC 2010. LNCS, vol. 6496, pp. 534–549. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17746-0_34 CrossRefGoogle Scholar
  44. 44.
    Alarcon, R., Wilde, E.: Linking data from RESTful services. In: Third Workshop on Linked Data on the Web (2010)Google Scholar
  45. 45.
    Bellido, J., Alarcon, R., Sepulveda, C.: Web linking-based protocols for guiding RESTful M2M interaction. In: Harth, A., Koch, N. (eds.) ICWE 2011. LNCS, vol. 7059, pp. 74–85. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-27997-3_7 CrossRefGoogle Scholar
  46. 46.
    Sepulveda, C., Alarcon, R., Bellido, J.: QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4), 767–794 (2015)CrossRefGoogle Scholar
  47. 47.
    Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: 2nd ACM Workshop on Digital Identity Management (DIM) (2006)Google Scholar
  48. 48.
    de Azevedo Muniz, B., Chaves, L.M., Lira, H.A., Dantas, J.R.V., Farias, P.P.M.: Serin an aproach to specify semantic abstract interfaces in the context of RESTful web services. In: IADIS International Conference WWW/Internet (2013)Google Scholar
  49. 49.
    Lanthaler, M.: Creating 3rd generation web APIs with hydra. In: 22nd International Conference on World Wide Web (WWW) (2013)Google Scholar
  50. 50.
    Lanthaler, M.: Hydra Core Vocabulary - A Vocabulary for Hypermedia-Driven Web APIs. Unofficial Draft, W3C (2017). http://www.hydra-cg.com/spec/latest/core/
  51. 51.
    Sporny, M., Longley, D., Kellogg, G., Lanthaler, M., Lindstrm, N.: JSON-LD 1.0 - A JSON-Based Serialization for Linked Data. W3C Recommendation, W3C (2014). https://www.w3.org/TR/json-ld/
  52. 52.
    Verborgh, R., Steiner, T., Van Deursen, D., Coppens, S., Vallés, J.G., Van de Walle, R.: Functional descriptions as the bridge between hypermedia APIs and the semantic web. In: 3rd International Workshop on RESTful Design (WS-REST) (2012)Google Scholar
  53. 53.
    Berners-Lee, T., Connolly, D.: Notation3 (N3): a readable RDF syntax. W3C Team Submission, W3C (2011). https://www.w3.org/TeamSubmission/n3/
  54. 54.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  55. 55.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012). http://doi.acm.org/10.1145/2382196.2382204
  56. 56.
    IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2017). http://datatracker.ietf.org/wg/jose/
  57. 57.
    Urien, P.: Remote APDU Call Secure (RACS). Internet-Draft, IETF (2016). https://tools.ietf.org/html/draft-urien-core-racs-08
  58. 58.
    Gorski, P.L., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)Google Scholar
  59. 59.
    Nguyen, H.V., Lo Iacono, L.: REST-ful CoAP message authentication. In: International Workshop on Secure Internet of Things (SIoT), in conjunction with the European Symposium on Research in Computer Security (ESORICS) (2015)Google Scholar
  60. 60.
    Nguyen, H.V., Lo Iacono, L.: RESTful IoT authentication protocols. In: u, M.H., Choo, K.R., (eds.) Mobile Security and Privacy - Advances Challenges and Future Research Directions. Advanced Topics in Information Security, 1st edn., pp. 217–234. Elsevier/Syngress (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Hoai Viet Nguyen
    • 1
    Email author
  • Jan Tolsdorf
    • 1
  • Luigi Lo Iacono
    • 1
  1. 1.Cologne University of Applied SciencesCologneGermany

Personalised recommendations