Container-Level Security Certification of Services

  • Marco Anisetti
  • Claudio A. Ardagna
  • Ernesto Damiani
Chapter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7350)

Abstract

The increasing success of the Service-Oriented Architecture (SOA) paradigm has fostered the implementation of complex services, including business processes, via dynamic selection and composition of remote services providing single functionality. Run-time selection and composition of services require the deployment of high-level security standards for the SOA infrastructure, to increase the confidence of both service consumers and providers that the services satisfy their security requirements and behave as expected. In this context, certification can play a fundamental role and provide the evidence that a set of properties hold for a given service. Security certification of services can involve two different aspects: i) the evaluation of the container in which the service is deployed, in terms of compliance with web service security standards and policies; ii) the verification and validation of the service implementation. In this chapter, we focus on the first aspect and we propose an overview of container-level certification of services.

Keywords

Security Property Generate Test Case Simple Object Access Protocol Security Pattern Extend Finite State Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Banerji, A., et al.: Web Services Conversation Language (WSCL) version 1.0. World Wide Web Consortium (W3C) (March 2002), http://www.w3.org/TR/wscl10/
  2. 2.
    Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: Proc. of the 8th International Conference on Service Computing (SCC 2011), Washington, DC, USA (July 2011)Google Scholar
  3. 3.
    Anisetti, M., Ardagna, C., Damiani, E.: Certifying security and privacy properties in the internet of services. In: Bianchi, G., Blefari, N., Salgarelli, L. (eds.) Trustworthy Internet. Springer, Berlin (2011)Google Scholar
  4. 4.
    Ardagna, C., De Capitani di Vimercati, S.: A comparison of modeling strategies in defining XML-based access control language. Computer Systems Science & Engineering Journal 19(3), 141–149 (2004)Google Scholar
  5. 5.
    Baresi, L., Di Nitto, E.: Test and Analysis of Web Services. Springer, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Bhargavan, K., Fournet, C., Gordon, A.: Verifying policy-based security for Web services. In: Proc. of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Washington, DC, USA (October 2004)Google Scholar
  7. 7.
    Canfora, G., Di Penta, M.: Service-Oriented Architectures Testing: A Survey. In: De Lucia, A., Ferrucci, F. (eds.) ISSSE 2006-2008. LNCS, vol. 5413, pp. 78–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Chinnici, R., Moreau, J., Ryman, A., Weerawarana, S.: Web Services Description Language (WSDL) version 2.0. World Wide Web Consortium (W3C) (June 2007), http://www.w3.org/TR/wsdl20/
  9. 9.
    Damiani, E.: Web service security. In: van Tilborg, H., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn. Springer (2011)Google Scholar
  10. 10.
    Damiani, E., Ardagna, C., Ioini, N.E.: Open source systems security certification. Springer, New York (2009)CrossRefGoogle Scholar
  11. 11.
    Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Fine grained access control for SOAP e-services. In: Proc. of the 10th International World Wide Web Conference (WWW 2001), Hong Kong, China (May 2001)Google Scholar
  12. 12.
    Damiani, E., El Ioini, N., Sillitti, A., Succi, G.: Ws-certificate. In: Proc. of the IEEE Congress on Services, Part I (SERVICES I 2009), Los Angeles, CA, USA (July 2009)Google Scholar
  13. 13.
    Dong, W.L., Yu, H.: Web service testing method based on fault-coverage. In: Proc. of the 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW 2006), Hong Kong, China (October 2006)Google Scholar
  14. 14.
    Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, Upper Saddle River (2005)Google Scholar
  15. 15.
    Fernandez, E., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: Proc. of the International Conference on Advanced International Conference on Telecommunications/Internet and Web Applications and Services (AICT-ICIW 2006), Guadeloupe, French Caribbean (February 2006)Google Scholar
  16. 16.
    Frantzen, L., Tretmans, J., de Vries, R.: Towards model-based testing of web services. In: Proc. of the International Workshop on Web Services - Modeling and Testing (WS-MaTe 2006), Palermo, Italy, pp. 67–82 (June 2006)Google Scholar
  17. 17.
    Frantzen, L., Tretmans, J., Willemse, T.A.C.: Test Generation Based on Symbolic Specifications. In: Grabowski, J., Nielsen, B. (eds.) FATES 2004. LNCS, vol. 3395, pp. 1–15. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Galbraith, B., Hankinson, W., Hiotis, A., Janakiraman, M., Prasad, D.V., Trivedi, R., Whitney, D.: Professional Web Services Security. Wrox Press Ltd. (December 2002)Google Scholar
  19. 19.
    Goodner, M., Nadalin, A.: Web Services Federation Language (WS-Federation) Version 1.2. OASIS (May 2009), http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
  20. 20.
    Gudgin, M., Hadley, M., Mendelsohnand, N., Moreau, J.J., Nielsen, H., Karmarkar, A., Lafon, Y.: Simple Object Access Protocol (SOAP) 1.2. World Wide Web Consortium (W3C) (April 2007), http://www.w3.org/TR/soap12-part1/
  21. 21.
    Han, J., Kowalczyk, R., Khan, K.: Security-oriented service composition and evolution. In: Proc. of the 13th Asia Pacific Software Engineering Conference (APSEC 2006), Bangalore, India (December 2006)Google Scholar
  22. 22.
    Hanna, S., Munro, M.: An approach for specification-based test case generation for web services. In: Proc. of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA 2007), Amman, Jordan (May 2007)Google Scholar
  23. 23.
    Hashizume, K., Fernandez, E., Huang, S.: The ws-security pattern. In: Proc. of the First IEEE International Workshop on Security Engineering Environments (IWSEE 2009), Shanghai, China (December 2009)Google Scholar
  24. 24.
    Heckel, R., Lohmann, M.: Towards contract-based testing of web services. In: Proc. of the International Workshop on Test and Analysis of Component Based Systems (TACoS 2004), Barcelona, Spain (March 2004)Google Scholar
  25. 25.
    Herrmann, D.: Using the Common Criteria for IT security evaluation. Auerbach Publications (2002)Google Scholar
  26. 26.
    IBM, Microsoft: Security in a Web Services World: A Proposed Architecture and Roadmap (April 2002), http://www.ibm.com/developerworks/library/specification/ws-secmap/
  27. 27.
    Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on Web services. Computer Science - R&D 24(4), 185–197 (2009)Google Scholar
  28. 28.
    Jokhio, M., Dobbie, G., Sun, J.: Towards specification based testing for semantic web services. In: Proc. of the 20th Australian Software Engineering Conference (ASWEC 2009), Gold Coast, Australia (April 2009)Google Scholar
  29. 29.
    Keum, C., Kang, S., Ko, I.-Y., Baik, J., Choi, Y.-I.: Generating Test Cases for Web Services Using Extended Finite State Machine. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom 2006. LNCS, vol. 3964, pp. 103–117. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Kim, A., Luo, J., Kang, M.: Security ontology for annotating resources. In: Proc. of the 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE 2005), Agia Napa, Cyprus (November 2005)Google Scholar
  31. 31.
    Kourtesis, D., Ramollari, E., Dranidis, D., Paraskakis, I.: Discovery and selection of certified web services through registry-based testing and verification. In: Camarinha-Matos, L., Picard, W. (eds.) Pervasive Collaborative Networks. IFIP, vol. 283, pp. 473–482. Springer, Boston (2008)CrossRefGoogle Scholar
  32. 32.
    Mao, C.: Towards a hierarchical testing and evaluation strategy for web services system. In: Proc. of the 7th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2009), Haikou, China (December 2009)Google Scholar
  33. 33.
    Microsoft: Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 (December 2005), http://msdn.microsoft.com/en-us/library/aa480545.aspx
  34. 34.
    Microsoft: Web Services Security Specifications (October 2007), http://msdn.microsoft.com/en-us/library/ms951273.aspx
  35. 35.
    Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecureConversation 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html
  36. 36.
    Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.2. OASIS (July 2007), http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
  37. 37.
    Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-Trust 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
  38. 38.
    Newcomer, E.: Understanding Web Services: XML, WSDL, SOAP, and UDDI. Addison Wesley (2002)Google Scholar
  39. 39.
    Papazoglou, M.: Web services and business transactions. World Wide Web 6(1), 49–91 (2003)CrossRefGoogle Scholar
  40. 40.
    Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proc. of the 3rd ACM Workshop On Secure Web Services (SWS 2006), Alexandria, VA, USA (November 2006)Google Scholar
  41. 41.
    Salva, S., Rabhi, I.: Automatic web service robustness testing from WSDL descriptions. In: Proc. of the 12th European Workshop on Dependable Computing (EWDC 2009), Toulouse, France (May 2009)Google Scholar
  42. 42.
  43. 43.
    Sinha, S., Benameur, A.: A formal solution to rewriting attacks on SOAP messages. In: Proc. of the 5th ACM Workshop On Secure Web Services (SWS 2008), Alexandria, VA, USA (October 2008)Google Scholar
  44. 44.
    Tsai, W., Paul, R., Cao, Z., Yu, L., Saimi, A., Xiao, B.: Verification of Web services using an enhanced UDDI server. In: Proc. of the 8th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS 2003), Guadalajara, Mexico (January 2003)Google Scholar
  45. 45.
    Tsai, W., Paul, R., Yamin, W., Chun, F., Dong, W.: Extending WSDL to facilitate web services testing. In: Proc. of the 7th IEEE International Symposium on High Assurance Systems Engineering, Tokyo, Japan (October 2002)Google Scholar
  46. 46.
    USA Department of Defence: Department Of Defense Trusted Computer System Evaluation Criteria (December 1985), http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt
  47. 47.
    Xu, W., Venkatakrishnan, V., Sekar, R., Ramakrishnan, I.: A framework for building privacy-conscious composite Web services. In: Proc. of the 2006 IEEE International Conference on Web Services (ICWS 2006), Chicago, IL, USA (September 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Marco Anisetti
    • 1
  • Claudio A. Ardagna
    • 1
  • Ernesto Damiani
    • 1
  1. 1.Dipartimento di Tecnologie dell’InformazioneUniversità degli Studi di MilanoCremaItalia

Personalised recommendations