Abstract
This chapter proposes ws-Attestation, an attestation architecture based upon a Web Services framework. The increasing prevalence of security breaches caused by malicious software shows that the conventional identity-based trust model is insufficient as a protection mechanism. It is unfortunately common for a computing platform in the care of a trustworthy owner to behave maliciously. Zombie computers used to send spam being a common example.
Specifications created by the Trusted Computing Group TCG [27, 26] introduced the concept of platform integrity attestation, by which a computing platform can prove its current configuration state to a remote verifier in a reliable manner. ws-Attestation allows Web Services providers and consumers to leverage this technology in order to make better informed business decisions based on the security of the other party.
Current TCG specifications define only a primitive attestation mechanism that has several shortcomings for use in real-world scenarios: attestation information is coarse grained; dynamic system states are not captured; integrity metrics are difficult to validate; platform state as of an attestation is not well bound to the platform state as of interaction and platform configuration information is not protected from attackers. We aim to provide a software-oriented, dynamic, and fine-grained attestation mechanism which leverages TCG and ws-Security technologies to increase trust and confidence in integrity reporting. In addition, the architecture allows binding of attestation with application context, privacy protection, and infrastructural support for attestation validation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
W.A. Arbaugh, J. Farber, and J.M. Smith. A secure and reliable bootstrap architecture. In IEEE Computer Society Conference on Security and Privacy, pp. 65–71, 1997.
BM, BEA Systems, Microsoft, SAP AG, Sonic Software, and VeriSign. Web services policy framework (ws-policy), Sep 2004.
Cert/cc statistics 1988-2005. Accessed 2005. http://www.cert.org/stats/cert_stats.html.
IBM et al. Web services secure conversation language (ws-secureconversation), Feb 2005.
IBM et al. Web services trust language (ws-trust), Feb 2005.
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In 19th ACM Symposium on Operating Systems Principles, 2003.
John L. Griffin, Trent Jaeger, Ronald Perez, Reiner Sailer, Leendert van Doorn, and Ramon Caceres. Trusted virtual domains: Toward secure distributed services. In Workshop on Hot Topics in System Dependability, 2005.
V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation — a virtual machine directed approach to trusted computing. In 3rd Virtual Machine Research and Technology Symposium, May 2004.
IBM. Web services federation language (ws-federation), Jul 2003.
IBM, Microsoft, RSA Security, and VeriSign. Web services security policy language (ws-securitypolicy).
IBM, BEA Systems, Microsoft, SAP AG, Computer Associates, Sun Microsystems, and webMethods. Web services metadata exchange (ws-metadataexchange), Sep 2004. http://www-128.ibm.com/developerworks/library/specification/ws-mex/.
IBM, BEA Systems, Microsoft, Arjuna, and Hitachi. Web services transactions specifications, Nov 2004.
Microsoft IBM. Security in a web services world: A proposed architecture and roadmap, Apr 2002. http://www-128.ibm.com/developerworks/library/specification/ws-secmap/.
Ibm service management framework. http://www-306.ibm.com/software/wireless/smf/.
Java cryptography extension (jce). http://java.sun.com/products/jce/.
Linux intrusion detection system (lids). http://www.lids.org/.
Open vulnerability and assessment language. http://oval.mitre.org/.
OSGi alliance. http://www.osgi.org/.
W3C Recommendation. Soap version 1.2, Jun 2004. http://www.w3.org/TR/soap/.
W3C Candidate Recommendation. Web services description language (wsdl) version 2.0 part 0: Primer, Mar 2006. http://www.w3.org/TR/2006/CR-wsdl20-primer-20060327/.
Redhat enterprise linux. http://www.redhat.com/.
A. Sadeghi and C. Stüble. Property-based attestation for computing platforms: Caring about properties, not mechanisms. In 2004 Workshop on New Security Paradigms (NSPW 2004), pages 67–77, 2004.
R. Sailer, T. Jaeger, X. Zhang, and L. Van Doorn. Attestation-based policy enforcement for remote access. In 11th ACM Conference on Computer and Communications Security, pages 308–317, Oct 2004.
R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a tcg-based integrity measurement architecture. In 13th USENIX Security Symposium, pages 223–238, Aug 2004.
Tcg software stack specification version 1.2. http://www.trustedcomputing.org/specs/TSS.
Tcg specification architecture overview, revision 1.2. Trusted Computing Group, Apr 2004. Available at https://www.trustedcomputinggroup.org/groups/TCG_1_0_Architecture_Overview.pdf.
Trusted computing platform alliance main specification, version 1.1b. Trusted Computing Group, Feb 2002. https://www.trustedcomputinggroup.org/specs/TPM.
Uddi spec technical committee draft, version 3.02, Oct 2004. http://www.oasis-open.org/.
Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina, Michiharu Kudo, , and Hiroshi Maruyama. Bridging the gap between inter-communication boundary and inside trusted components. In 11th European Symposium on Research in Computer Security(ESORICS 2006), LNCS. Springer, 2006.
Web service security: Soap messaging security 1.0 (ws-security 2004). OASIS Standard 200401, Mar 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Yoshihama, S., Ebringer, T., Nakamura, M., Munetoh, S., Mishina, T., Maruyama, H. (2007). ws-Attestation: Enabling Trusted Computing on Web Services. In: Baresi, L., Nitto, E.D. (eds) Test and Analysis of Web Services. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72912-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-72912-9_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72911-2
Online ISBN: 978-3-540-72912-9
eBook Packages: Computer ScienceComputer Science (R0)