Protecting Software as a Service in the Clouds by Validation

  • Tien-Dung Cao
  • Kevin Chiew
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7759)

Abstract

The cloud computing has provided customers with various services at its SaaS layer though, few work has been done on the security checking of messages exchanged between a customer and a service provider at SaaS so as to protect SaaS. In this paper we propose a validation model to investigate the SaaS security issue. Rather than installing a set of probes as we have done for the testing web services, in this model we introduce a validation service that plays the role of a firewall and protects our SaaS by verifying the correctness of messages with respect to a set of predefined security rules and forwarding them to their real destinations if they pass the verification or rejecting them otherwise. We develop a prototype model based on the tool known as RV4WS which was developed in our early study on web service runtime verification, as well as a checking engine RVEngine to verify our checking algorithm for the model. A survey on how to use this model for the services deployed on Google App Engine, Window Azure and Oracle Java Cloud Service is also presented.

Keywords

SaaS Cloud Computing Security Checking Rule Specification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Introduction to cloud computing architecture. White Paper, Sun Microsystems, 1st edn. (June 2009)Google Scholar
  2. 2.
    Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the cloud? an architectural map of the cloud landscape. In: ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31 (2009)Google Scholar
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Leucker, M., Schallhart, C.: A brief account of runtime verification. The Journal of Logic and Algebraic Programming 78(5), 193–303 (2009)CrossRefGoogle Scholar
  8. 8.
    Cavalli, A., Benameur, A., Mallouli, W., Li, K.: A passive testing approach for security checking and its pratical usage for web services monitoring. In: NOTERE 2009, Montreal, Canada (2009)Google Scholar
  9. 9.
    Cao, T.D., Castanet, R., Felix, P., Chiew, K.: An approach to automated runtime verification for timed systems: Applications to web services. Journal of Software 7(6), 1338–1350 (2012)CrossRefGoogle Scholar
  10. 10.
    Gruschka, N., Luttenberger, N.: Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Fischer-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments. IFIP, vol. 201, pp. 171–182. Springer, Boston (2006)CrossRefGoogle Scholar
  11. 11.
    Salva, S., Laurencot, P., Rabhi, I.: An approach dedicated for web service security testing. In: 5th International Conference on Software Engineering Advances, Nice, France, August 22-27, pp. 494–500 (2010)Google Scholar
  12. 12.
    Morales, G., Maag, S., Cavalli, A., Mallouli, W., de Oca, E., Wehbi, B.: Timed extended invariants for the passive testing of web services. In: IEEE International Conference on Web Service, Miami, Florida, USA, pp. 592–599 (2010)Google Scholar
  13. 13.
    Chan, W., Mei, L., Zhang, Z.: Modeling and testing of cloud applications. In: IEEE Asia-Pacific Services Computing Conference, Singapore, December 7-11, pp. 111–118 (2009)Google Scholar
  14. 14.
    Endo, A.T., Simao, A.: Model-based testing of service-oriented applications via state models. In: IEEE International Conference on Services Computing, pp. 432–439 (2011)Google Scholar
  15. 15.
    Salva, S.: Passive testing with proxy tester. International Journal of Software Engineering and Its Applications 5(4), 1–16 (2011)Google Scholar
  16. 16.
    Using windows azure connect to integrate on-premises web services, http://msdn.microsoft.com/en-us/library/windowsazure/hh697512.aspx
  17. 17.
    Cao, T.D., Castanet, R., Felix, P., Morales, G.: Testing of web services: Tools and experiments. In: IEEE Asia-Pacific Services Computing Conference, Jeju, Korea, pp. 78–85 (December 2011)Google Scholar
  18. 18.
    Cao, T.D., Phan-Quang, T.T., Felix, P., Castanet, R.: Automated runtime verification for web services. In: IEEE International Conference on Web Services, Miami, Florida, USA, July 5-10, pp. 76–82 (2010)Google Scholar
  19. 19.
    Nguyen, K.D.: The development of a testing framework for web services. Master’s thesis, Poles Universitaire Française in Ho Chi Minh City (December 2010)Google Scholar
  20. 20.
    Cavalli, A., Gervy, C., Prokopenko, S.: New approaches for passive testing using an extended finite state machine specification. Information and Software Technology 45, 837–852 (2003)CrossRefGoogle Scholar
  21. 21.
    Hampi: A solver for string constraints, http://people.csail.mit.edu/akiezun/hampi/index.html
  22. 22.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Tien-Dung Cao
    • 1
  • Kevin Chiew
    • 1
  1. 1.School of EngineeringTan Tao UniversityVietnam

Personalised recommendations