Lightweight Information Flow Control for Web Services

  • Bartosz Brodecki
  • Michał Kalewski
  • Piotr Sasak
  • Michał Szychowiak
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7204)


This paper presents a concept of incorporating information flow control (IFC) mechanisms into service-oriented systems. As opposed to existing IFC proposals, commonly imposing requirements hard or impossible to achieve in service-oriented environments (such as analysis of the application code), our solution fully complies with the Service Oriented Architecture (SOA) model. We present how IFC can be managed in an SOA system by using ORCA security policy language. We also describe two possible implementations of such SOA-specific IFC mechanisms using cryptographic keys and poly-instantiated web services.


Security Policy Security Level Information Category Digital Right Management Service Instance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, D.E., LaPadula, L.: Secure computer systems. Tech. Rep. ESR-TR-73-278, Mitre Corporation (November 1973)Google Scholar
  2. 2.
    Brodecki, B., Sasak, P., Szychowiak, M.: Security Policy Definition Framework for SOA-Based Systems. In: Vossen, G., Long, D.D.E., Yu, J.X. (eds.) WISE 2009. LNCS, vol. 5802, pp. 589–596. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    ContentGuard: extensible rights markup language, XrML (2002),
  4. 4.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19, 236–243 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, p. 11 (1982)Google Scholar
  6. 6.
    ISO/IEC: Information technology - open systems interconnection - security frameworks for open systems: Access control framework (1966)Google Scholar
  7. 7.
    Li, B.: Analyzing information-flow in java program based on slicing technique. SIGSOFT Softw. Eng. Notes 27, 98–103 (2002)CrossRefGoogle Scholar
  8. 8.
    MacKenzie, C.M., Laskey, K., McCabe, F., Brown, P., Metz, R.: Reference model for Service Oriented Architecture. OASIS Committee Draft 1.0, OASIS Open (2006)Google Scholar
  9. 9.
    Microsoft: Windows communication foundation,
  10. 10.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)CrossRefGoogle Scholar
  11. 11.
    She, W., Yen, I.L., Thuraisingham, B., Bertino, E.: The SCIFC Model for Information Flow Control in Web Service Composition. In: Proceedings of the 2009 IEEE International Conference on Web Services, ICWS 2009, pp. 1–8. IEEE Computer Society, Washington, DC, USA (2009)CrossRefGoogle Scholar
  12. 12.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1998, pp. 355–364. ACM, New York (1998)CrossRefGoogle Scholar
  13. 13.
    Volpano, D.M., Smith, G.: A Type-based Approach to Program Security. In: Bidoit, M., Dauchet, M. (eds.) CAAP/FASE/TAPSOFT 1997. LNCS, vol. 1214, pp. 607–621. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  14. 14.
    Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., Waldbusser, S.: Terminology for Policy-Based Management. RFC 3198 (Informational) (November 2001),
  15. 15.
    Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. SIGSOFT Softw. Eng. Notes 30, 1–36 (2005)Google Scholar
  16. 16.
    Yildiz, U., Godart, C.: Information Flow Control with Decentralized Service Compositions. In: ICWS 2007, pp. 9–17. IEEE (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bartosz Brodecki
    • 1
  • Michał Kalewski
    • 1
  • Piotr Sasak
    • 1
  • Michał Szychowiak
    • 1
  1. 1.Poznań University of TechnologyPoznańPoland

Personalised recommendations