Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Tools and Algorithms for the Construction and Analysis of Systems

TACAS 2012: Tools and Algorithms for the Construction and Analysis of Systems pp 267–282Cite as

  1. Home
  2. Tools and Algorithms for the Construction and Analysis of Systems
  3. Conference paper
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures

The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures

  • Alessandro Armando18,
  • Wihem Arsac19,
  • Tigran Avanesov20,
  • Michele Barletta21,
  • Alberto Calvi21,
  • Alessandro Cappai18,
  • Roberto Carbone18,
  • Yannick Chevalier22,
  • Luca Compagna19,
  • Jorge Cuéllar23,
  • Gabriel Erzse24,
  • Simone Frau25,
  • Marius Minea24,
  • Sebastian Mödersheim26,27,
  • David von Oheimb23,
  • Giancarlo Pellegrino19,
  • Serena Elisa Ponta18,19,
  • Marco Rocchetto21,
  • Michael Rusinowitch20,
  • Mohammad Torabi Dashti25,
  • Mathieu Turuani20 &
  • …
  • Luca Viganò21 
  • Conference paper
  • 2028 Accesses

  • 55 Citations

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 7214)

Abstract

The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backends (CL-AtSe, OFMC, and SATMC), which provide a range of complementary automated reasoning techniques (including service orchestration, compositional reasoning, model checking, and abstract interpretation). We have applied the platform to a large number of industrial case studies, collected into the AVANTSSAR Library of validated problem cases. In doing so, we unveiled a number of problems and vulnerabilities in deployed services. These include, most notably, a serious flaw in the SAML-based Single Sign-On for Google Apps (now corrected by Google as a result of our findings). We also report on the migration of the platform to industry.

Keywords

  • Security Protocol
  • Security Goal
  • Business Process Modeling Notation
  • Connector Layer
  • Attack Trace

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Arapinis, M., Ritter, E., Ryan, M.D.: StatVerif: Verification of Stateful Processes. In: Proc. CSF 2011, pp. 33–47. IEEE CS Press (2011)

    Google Scholar 

  2. Armando, A., Basin, D.A., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J., Drielsma, P.H., Héam, P.-C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  3. Armando, A., Carbone, R., Compagna, L.: LTL Model Checking for Security Protocols. Journal of Applied Non-Classical Logics 19(4), 403–429 (2009)

    CrossRef  MathSciNet  MATH  Google Scholar 

  4. Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Pellegrino, G., Sorniotti, A.: From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure? In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP Advances in Information and Communication Technology, vol. 354, pp. 68–79. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  5. Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Tobarra Abad, L.: Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In: Proc. FMSE 2008. ACM Press (2008)

    Google Scholar 

  6. Arora, C., Turuani, M.: Validating Integrity for the Ephemerizer’s Protocol with CL-Atse. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 21–32. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  7. Arsac, W., Compagna, L., Kaluvuri, S., Ponta, S.E.: Security Validation Tool for Business Processes. In: Proc. SACMAT 2011, pp. 143–144. ACM (2011)

    Google Scholar 

  8. Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security Validation of Business Processes via Model-Checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  9. AVANTSSAR. Deliverable 2.1: Requirements for modelling and ASLan v.1 (2008)

    Google Scholar 

  10. AVANTSSAR. Deliverable 4.2: AVANTSSAR Validation Platform v.2 (2010)

    Google Scholar 

  11. AVANTSSAR. Deliverable 5.4: Assessment of the AVANTSSAR Validation Platform (2010)

    Google Scholar 

  12. AVANTSSAR. Deliverable 6.2.3: Migration to industrial development environments: lessons learned and best practices (2010)

    Google Scholar 

  13. AVANTSSAR. Deliverable 2.3: ASLan++ specification and tutorial (2011)

    Google Scholar 

  14. AVISPA: Automated Validation of Internet Security Protocols and Applications, http://www.avispa-project.org

  15. Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. IJIS 4(3), 181–208 (2005)

    CrossRef  Google Scholar 

  16. Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A Security Tool for Web Services. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 197–222. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  17. Bhargavan, K., Fournet, C., Gordon, A.: Verified Reference Implementations of WS-Security Protocols. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds.) WS-FM 2006. LNCS, vol. 4184, pp. 88–106. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  18. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Proc. CSFW 2001, pp. 82–96. IEEE CS Press (2001)

    Google Scholar 

  19. Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Automatic validation of protocol narration. In: Proc. CSFW 2003, pp. 126–140. IEEE CS Press (2003)

    Google Scholar 

  20. Boichut, Y., Heam, P.-C., Kouchnarenko, O.: TA4SP: Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (2004)

    Google Scholar 

  21. Boichut, Y., Heam, P.-C., Kouchnarenko, O., Oehl, F.: Improvements on the Genet and Klay Technique to Automatically Verify Security Protocols. In: Proc. AVIS 2004. ENTCS (2004)

    Google Scholar 

  22. Brucker, A., Mödersheim, S.: Integrating Automated and Interactive Protocol Verification. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 248–262. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  23. Chevalier, Y., Compagna, L., Cuéllar, J., Hankes Drielsma, P., Mantovani, J., Mödersheim, S., Vigneron, L.: A High Level Protocol Specification Language for Industrial Security-Sensitive Protocols. In: Proc. SAPS 2004, pp. 193–205 (2004)

    Google Scholar 

  24. Chevalier, Y., Mekki, M.A., Rusinowitch, M.: Automatic Composition of Services with Security Policies. In: Proc. WSCA, pp. 529–537. IEEE CS Press (2008)

    Google Scholar 

  25. Comon-Lundh, H., Cortier, V.: New Decidability Results for Fragments of First-order Logic and Application to Cryptographic protocols. TR LSV-03-3, Laboratoire Specification and Verification, ENS de Cachan, France (2003)

    Google Scholar 

  26. Dolev, D., Yao, A.: On the Security of Public-Key Protocols. IEEE Transactions on Information Theory 2(29) (1983)

    Google Scholar 

  27. Hodkinson, I., Reynolds, M.: Temporal Logic. In: Blackburn, P., van Benthem, J., Wolter, F. (eds.) Handbook of Modal Logic, pp. 655–720. Elsevier (2006)

    Google Scholar 

  28. Lucchi, R., Mazzara, M.: A pi-calculus based semantics for WS-BPEL. J. Log. Algebr. Program. 70(1), 96–118 (2007)

    CrossRef  MathSciNet  MATH  Google Scholar 

  29. Marconi, A., Pistore, M.: Synthesis and Composition of Web Services. In: Bernardo, M., Padovani, L., Zavattaro, G. (eds.) SFM 2009. LNCS, vol. 5569, pp. 89–157. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  30. Mödersheim, S.: Algebraic Properties in Alice and Bob Notation. In: Proc. Ares 2009, pp. 433–440. IEEE CS Press (2009)

    Google Scholar 

  31. Mödersheim, S.: Abstraction by Set-Membership: Verifying Security Protocols and Web Services with Databases. In: Proc. CCS 17, pp. 351–360. ACM Press (2010)

    Google Scholar 

  32. Mödersheim, S., Viganò, L.: Secure Pseudonymous Channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 337–354. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  33. Mödersheim, S., Viganò, L.: The Open-source Fixed-point Model Checker for Symbolic Analysis of Security Protocols. In: Aldini, A., Barth, G., Gorrieri, R. (eds.) FOSAD 2007. LNCS, vol. 5705, pp. 166–194. Springer, Heidelberg (2009)

    Google Scholar 

  34. OASIS. Web Services Business Process Execution Language Version 2.0. (April 11, 2007), http://docs.asis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.pdf

  35. OASIS. SAML v2.0 – Technical Overview (March 2007), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

  36. Turuani, M.: The CL-Atse Protocol Analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  37. von Oheimb, D., Mödersheim, S.: ASLan++ — A Formal Security Specification Language for Distributed Systems. In: Aichernig, B.K., de Boer, F.S., Bonsangue, M.M. (eds.) FMCO 2010. LNCS, vol. 6957, pp. 1–22. Springer, Heidelberg (2011)

    Google Scholar 

  38. Weidenbach, C.: Towards an Automatic Analysis of Security Protocols in First-Order Logic. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 314–328. Springer, Heidelberg (1999)

    CrossRef  Google Scholar 

  39. WSO2. Web Services Framework for PHP (2006), http://wso2.org/projects/wsf/php

Download references

Author information

Authors and Affiliations

  1. AI-Lab, DIST, Università di Genova, Italy

    Alessandro Armando, Alessandro Cappai, Roberto Carbone & Serena Elisa Ponta

  2. SAP Research, Mougins, France

    Wihem Arsac, Luca Compagna, Giancarlo Pellegrino & Serena Elisa Ponta

  3. LORIA & INRIA Nancy Grand Est, France

    Tigran Avanesov, Michael Rusinowitch & Mathieu Turuani

  4. Department of Computer Science, University of Verona, Italy

    Michele Barletta, Alberto Calvi, Marco Rocchetto & Luca Viganò

  5. IRIT, Université Paul Sabatier, France

    Yannick Chevalier

  6. Siemens AG, Corporate Technology, Munich, Germany

    Jorge Cuéllar & David von Oheimb

  7. Institute e-Austria and Politehnica University, Timişoara, Romania

    Gabriel Erzse & Marius Minea

  8. Institute of Information Security, ETH Zurich, Switzerland

    Simone Frau & Mohammad Torabi Dashti

  9. IBM Zurich Research Laboratory, Switzerland

    Sebastian Mödersheim

  10. DTU, Lyngby, Denmark

    Sebastian Mödersheim

Authors
  1. Alessandro Armando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wihem Arsac
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tigran Avanesov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michele Barletta
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alberto Calvi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alessandro Cappai
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Roberto Carbone
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Yannick Chevalier
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Luca Compagna
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Jorge Cuéllar
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Gabriel Erzse
    View author publications

    You can also search for this author in PubMed Google Scholar

  12. Simone Frau
    View author publications

    You can also search for this author in PubMed Google Scholar

  13. Marius Minea
    View author publications

    You can also search for this author in PubMed Google Scholar

  14. Sebastian Mödersheim
    View author publications

    You can also search for this author in PubMed Google Scholar

  15. David von Oheimb
    View author publications

    You can also search for this author in PubMed Google Scholar

  16. Giancarlo Pellegrino
    View author publications

    You can also search for this author in PubMed Google Scholar

  17. Serena Elisa Ponta
    View author publications

    You can also search for this author in PubMed Google Scholar

  18. Marco Rocchetto
    View author publications

    You can also search for this author in PubMed Google Scholar

  19. Michael Rusinowitch
    View author publications

    You can also search for this author in PubMed Google Scholar

  20. Mohammad Torabi Dashti
    View author publications

    You can also search for this author in PubMed Google Scholar

  21. Mathieu Turuani
    View author publications

    You can also search for this author in PubMed Google Scholar

  22. Luca Viganò
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of California at Santa Cruz, 1156 High Street, 95064, Santa Cruz, CA, USA

    Cormac Flanagan

  2. Fakultät für Ingenieurwesen, Abteilung für Informatik und Angewandte Kognitionswissenschaft, Universität Duisburg-Essen, Lotharstraße 65, 47057, Duisburg, Germany

    Barbara König

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Armando, A. et al. (2012). The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures. In: Flanagan, C., König, B. (eds) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2012. Lecture Notes in Computer Science, vol 7214. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28756-5_19

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-28756-5_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28755-8

  • Online ISBN: 978-3-642-28756-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature