One security issue that arises in a Service Oriented Architecture that presents new challenges is the issue of secure service composition and secure service orchestration. A survey and discussion of current approaches to this problem are presented. Service composition can involve complex patterns of service interaction and also needs to assure conformance to non-functional or aspectual requirements including security policies and service level agreements (SLAs).
Bartoletti, Degano and Ferrari [1] have proposed an extended lambda-calculus with two primitives that represent the invocation of services that conform to certain security policies. These primitives are termed policy framings and are of two types, safety framings, by which a service protects itself from the service consumer, and liveness framings, by which a service consumer protects itself from the service. For motivation, they consider difficulties involved in service composition, or orchestration. One problem they pose is the composition of services from multiple providers that do not completely trust one another. The service needs to guarantee policy enforcement independent of the identity of the caller and for any operational interaction. The client, at the same time, must be able to protect sensitive data from unauthorized disclosure or tampering by the service. Their approach verifies policy framings using model-checking of over-approximations of all possible runtime program behaviors, which automates the established security practice of evaluating all possible program behaviors for security policy conformance. It does seem clear that secure service composition requires a corresponding security policy composition. The security policy composition may or may not satisfy the security policy required by the client. The conformance of the policy composition with the client required policy needs to be a requirement to be satisfied before selecting that service composition for invocation. Whether automatically accomplished based on semantics, or statically provided, a service composition's policy composition would be a prerequisite to determining that the service composition can provide a valid service level agreement to the client.
Sowell and Vitek [2] present an extended pi-calculus that expresses security policies as security wrappers, which are programs that control the interaction with trusted or untrusted components. They represent the possible information flows between components using a static type system. Within an SOA context, this would correspond to accomplishing a secure service composition by including a set of trusted and untrusted services along with security services that enforce the client's security requirements when calling the service composition. Untrusted services could be untrusted for not meeting specific security requirements such as authentication, authorization, message integrity, non-repudiation, etc., while possiblymeeting other specific security requiremtents. The function of the security services that operate as security wrappers would be to mitigate any defect in conformance with the security requirements of the client.
Gorla, Hennessy and Sassone [3] present the concept of a membrane, which consists of a security policy and a trust level of the source site of the agent. The membrane allows execution of an agent from a trusted site after validating a digest of the agent's behavior, while requiring full code checking of a mobile agent originating from an untrusted source. This model could be extended for SOA if the services in question were exposed to code checking by a code checking service, with the policy validation results made available to the client through a broker. Alternatively, rather than automated code checking, the broker could verify that a service has been verified by some authority as conforming to a published security policy.
The composition of services is a subset of program generation, and an important goal of Semantic Web services is the automatic composition of services based on semantics. This raises the question of how to perform the dynamic composition of services in a secure manner.
Bartoletti, Degano and Ferrari [4] approach the problem of service composition from the perspective of plan generation. They note a limitation of existing standards for service orchestration such as BPEL4WS as offering invocation of services only by names and signatures. They build on their previous work proposing service invocation by property [1], which could more readily be used to support the possibility of dynamic service creation, modification and withdrawl. Instead of considering the static service composition problem, they consider the service composition problem as a plan creation problem. They consider plans of three types, simple plans with a one-to-one mapping of service to request, multi-choice plans that map requests onto sets of services, and dependent plans in which the selection of a service depends on previous choices. They apply the same extended lambda-calculus approach they used to address the problem of static secure service composition to this problem. They introduce the idea of linearization to permit the validation of plans which will not allow the action of a particular service to violate a policy that would become in effect after the operation of that service in the execution of the plan. For multi-choice plans, they use a saturation approach to validate all possible execution paths. These multi-choice plans allow a service composition to operate even if component services became unavailable at runtime.
Bartoletti, Degano and Ferrari extend their approach to consider additional types of plans in [5]. These types of plans include dependent multi-choice plans, which are a combination of the previously considered multi-choice plans and dependent plans. The next two types of plans extend the expressive power of their approach to address orchestration scenarios. Regular plans are plans in which regular expressions are used to express possible service invocation patterns. Dynamic plans are plans that are updated at run-time based on the results of evaluation on program execution conditions. They apply their work on static validation of these plan types to develop the concept of the trusted orchestrator. The trusted orchestrator will provide clients with plans that always satisfy security requirements. They assert their approach can work even if the clients and services are all untrusted, where the orchestrator is the only trusted entity in the network.
Grimm et. al. [6] approach the problem of secure service composition from a dynamic content perspective. Motivated by the fact that dynamic content via mashups are easy to build but do not scale well. They propose a scalable, extensible and secure platform that is near client systems, supports mixing and mashing and hosts controlled code. They propose an architecture where static content caching and dynamic content script execution are provided on edge servers that DNS redirects users to. This platform is termed an open edge-side computing network. Services are implemented as scripts in their environment, and security policies are expressed using the same code constructs as the services are, allowing extensibility of the security policies. The approach also ensures that security policy enforcement is an integral component of service processing. Services are isolated from one another and resources are allocated based on overall system bandwidth consumption. The services are implemented as event handlers and linked together in pipelines. Services are implemented in a standardized way with every service containing administrative control components that can be redeployed across the network in order to protect against new exploits or threats. While their architecture is intended specifically for dynamic content producers and consumers in organizations with limited resources, using light-weight scripts, the approach of hosting services close to the users along with static content caching might have wider applications. Edge-side computing networks might be used to host services that processed more complex transactions and data. Services could be load-balanced on the network based on geographically-based demand. Service capacity levels for services with different peak load times would migrate based on demand. This approach could be implemented by large organizations such as global corporations or the U.S. Federal Government. Security services would follow the same pattern, based on demand and policy conformance. The same service at one peak load time or geographical location may have a different mix of security policy levels than at different peak load times or geographical locations. For example user in Wi-Fi hotspots might require different security policies than users of dialup or high-speed Internet connections. The same approach of being able to dynamically update security services across the network in response to new exploits or threats would provide the ability to dynamically alter the security posture for one or more virtual organizations.
Gu, Nahrstedt and Yu [7] address the issue of secure service composition in service-oriented peer-to-peer systems. The security challenges that they are facing are the requirement of decentralization and the dynamic nature of peer arrivals and departures, and focus on fault tolerance and quality of service as security concerns. When services start, a composition probing protocol is applied to delivery service composition meeting quality and resource usage requirements. Their approach uses backup compositions to handle fault tolerance, and supports changeable orders within compositions in which services are connected using directed acyclic graphs, in application domains including pervasive content distribution and collaborative scientific computation. They propose a peer-to-peer service overlay where services such as format translation of media files, data filtering and routing are provided by peers. The security advantages noted are the ability to avoid mobile code. Service compositions are created using these service overlays based on quality of service requirements. A composite service request consists of a function graph and a set of quality of service requirements. Their future directions include introducing distributed trust management to their approach. Their approach seems to be amenable to enhancing the composition request to include a security policy component along with the quality of service requirements. The backup composition approach seems to have wide applicability to other kinds of SOA applications such as supply chain processing, ubiquitous computing and VOIP. Backup compositions could be activated not only if services become unavailable but if they fall below quality of service levels provided by alternate services or their security credentials are revoked.
Bharadwaj and Mukhopadhyay [8] describe an approach using formal methods to develop discovery and composition of Web services that use an agent-based approach to meet security, situation-awareness and survivability requirements. Autonomous agents termed situation-aware ambients are responsible for discovering and composing services in response to situation changes. They argue that intelligent software agents provide the best foundation for dependability and security in distributed systems.
Hutter and Volkamer [9] present an approach to securing Web service composition using the Semantic Web as a foundation. They stress an approach of security the information flow as opposed to the standard access control approach to securing services. They note that Trojan horses and other hidden-channel-based information leakage can occur even if access control is implemented. They outline two major problems with an access control based approach. The first is that there are no standardized security labels for data or services since there is no authority to establish them. The result is that clients and services have their own interpretations of how data is to be processed. There must be a dynamic composition of security policies to go along with the dynamic composition of services. The second problem they outline with access control is that the dynamic composition of web services will result in the dynamic composition of data types that will need to have dynamic determination of security requirements for the handling of the data. Their approach associates type information with data in order to represent security requirements such as confidentiality. Using their approach, Web services can only process data if they conform to the security requirements for processing the data. Their approach leverages previous research in Artificial Intelligence in the area of planning in order to dynamically generate service compositions. Compositions are allowed if the data security categories and service security policies match. They use a type calculus approach to provide services with the ability to prove whether they will violate security policy requirements. The approach treats services as external procedure calls for the purposes of code security analysis.
[1] Bartoletti, Massimo, Pieraolo Degano and Gian Luigi Ferrari, Enforcing Secure Service Composition, Proceedings of the 18th Computer Security Foundations Workshop (CSFW), 2005.
[2] Sowell, P. and J. Vitek, Secure Composition of Untrusted Code, Box-Pi,Wrappers and Causality Types. Journal of Computer Security, 11(2), 2003.
[3] Gorla, D., M. Hennessy and V. Sassone. Security Policies as Membranes in Systems for Global Computing. Foundations of Global Ubiquitous ComputingWorkshop, 2004.
[4] Bartoletti, Massimo, Pieraolo Degano and Gian Luigi Ferrari, Plans for Service Composition, Workshop on Issues in the Theory of Security (WITS),2006.
[5] Bartoletti, Massimo, Pieraolo Degano and Gian Luigi Ferrari, Security Issues in Service Composition, Invited Talk at FMOODS 2006.
[6] Grimm, Robert, Guy Lichtman, Nikolaos Michalkis, Amos Elliston, Adam Kravetz, Jonathan Miller and Sajid Raza, Na Kika: Secure Service Execution and Composition in an Open Edge-Side Computing Network, Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation, pp. 169-182, San Jose California, May 2006
[7] Gu, Xiaohui, Klara Nahrstedt and Bin Yu, SpiderNet: An Integrated Peer-to-Peer Service Composition Network, 13th IEEE InternationalSymposium on High-Performance Distributed Computing, 2004.
[8] Bharadwaj, Ramesh and Supratik Mikhopadhyay, Position Paper:Formal Methods for Developing Adaptable, Secure, Situation-AwareService-Oriented Architectures, Workshop on Web Services Semantics,14th International World Wide Web Conference, 2005.
[9] Hutter, Dieter and Melanie Volkamer, Information Flow Controlto Secure Dynamic Web Service Composition, Proceedings of the 3rdInternational Conference on Security in Pervasive Computing, SPC-2006,Springer-Verlag, LNCS 3934, 2006.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment