Abstract
Web services composition allows a software designer for combining atomic services, for instance taken from a marketplace, in a complex business process fulfilling a desired functional goal. Moreover, among a large number of possible compositions, the designer may want to consider only those which satisfy specific non-functional requirements.
In our work we consider verification of security properties and evaluation quantitative security metrics in a single framework. The main focus of this article is the verification of a composition with several security metrics at once. We provide a general solution for the problem and show how such verification can be made more efficient in specific cases (e.g., when a metric is an abstraction of another one). We employ a mathematical structure called c-semirings granting the generality of our approach.
This work was partly supported by EU-FP7-ICT NESSoS, EU-FP7-ICT ANIKETOS and EU-FP7-ICT SPaCIoS projects.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that the existence of glb is granted by the presence of top element in our domains.
- 2.
A link with proofs: http://wwwold.iit.cnr.it/staff/artsiom.yautsiukhin/Resources/Proofs-SBP.pdf.
- 3.
Here we go ahead a bit and use vectors of values instead of simple values. In the following we show that such substitution is just.
- 4.
In this example, we also assume, that security breaches are independent.
References
Nielson, H.R., Nielson, F.: A flow-sensitive analysis of privacy properties. In: Proceedings of the CSF-07 (2007)
Rossi, S., Macedonio, D.: Information flow security for service compositions. In: Proceedings of the ICUMT-09 (2009)
Bartoletti, M., Degano, P., Ferrari, G.L.: Planning and verifying service composition. J. Comput. Secur. 17(5), 799–837 (2009)
Bravetti, M., Lanese, I., Zavattaro, G.: Contract-driven implementation of choreographies. In: Kaklamanis, C., Nielson, F. (eds.) TGC 2008. LNCS, vol. 5474, pp. 1–18. Springer, Heidelberg (2009)
Padovani, L.: Contract-directed synthesis of simple orchestrators. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 131–146. Springer, Heidelberg (2008)
Karabulut, Y., et al.: Security and trust in it business outsourcing: a manifesto. ENTCS, vol. 179. Elsevier, Amsterdam (2006)
Massacci, F., Yautsiukhin, A.: Modelling of quality of protection in outsourced business processes. In: Proceedings of the IAS-07. IEEE (2007)
Yu, T., Zhang, Y., Lin, K.J.: Efficient algorithms for web services selection with end-to-end qos constraints. ACM Trans. Web 1, 1–26 (2007)
Krautsevich, L., et al.: Formal approach to security metrics. what does “more secure” mean for you? In: Proceedings of the MESSA-10. ACM Press (2010)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, Upper Saddle River (2007)
Innerhofer-Oberperfler, F., Massacci, F., Yautsiukhin, A.: Pareto-optimal architecture according to assurance indicators. In: Proceedings of the 13th Nordic Workshop on Secure IT Systems (2008)
Costa, G., Martinelli, F., Yautsiukhin, A.: Metric-aware secure service orchestration. In: Proceedings of the ICE-12. EPTCS (2012)
Costa, G., Degano, P., Martinelli, F.: Modular plans for secure service composition. J. Comput. Secur. 20(1), 81–117 (2012)
OMG: Business Process Model and Notation (BPMN). version 2.0 edn.
Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: A Cost-Benefit Analysis. McGraw Hill, New York (2006)
Bistarelli, S., Montanari, U., Rossi, F.: Semiring-based constraint satisfaction and optimization. J. ACM 44, 201–236 (1997)
Bartoletti, M., Degano, P., Ferrari, G.-L., Zunino, R.: Secure service orchestration. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2006/2007. LNCS, vol. 4677, pp. 24–74. Springer, Heidelberg (2007)
Bistarelli, S., Codognet, P., Rossi, F.: Abstracting soft constraints: framework, properties, examples. Artif. Intell. 139, 175–211 (2002)
Abdul-Rahman, A., Hailes, S.: A distributed trust model. In: Proceedings of the NSPW. ACM (1997)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Technical, report 800–30, NIST
Bravetti, M., Zavattaro, G.: Towards a unifying theory for choreography conformance and contract compliance. In: Lumpe, M., Vanderperren, W. (eds.) SC 2007. LNCS, vol. 4829, pp. 34–50. Springer, Heidelberg (2007)
Martinelli, F., Matteucci, I.: Synthesis of web services orchestrators in a timed setting. In: Dumas, M., Heckel, R. (eds.) WS-FM 2007. LNCS, vol. 4937, pp. 124–138. Springer, Heidelberg (2008)
Jaeger, M.C., Rojec-Goldmann, G., Muhl, G.: QoS aggregation in web service compositions. In: Proceedings of the CEC-05 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Costa, G., Martinelli, F., Yautsiukhin, A. (2014). Multi-dimensional Secure Service Orchestration. In: Lohmann, N., Song, M., Wohed, P. (eds) Business Process Management Workshops. BPM 2013. Lecture Notes in Business Information Processing, vol 171. Springer, Cham. https://doi.org/10.1007/978-3-319-06257-0_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-06257-0_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06256-3
Online ISBN: 978-3-319-06257-0
eBook Packages: Computer ScienceComputer Science (R0)