K. Ono, Yuichi Nakamura, Fumiko Satoh, T. Tateishi
{"title":"Verifying the Consistency of Security Policies by Abstracting into Security Types","authors":"K. Ono, Yuichi Nakamura, Fumiko Satoh, T. Tateishi","doi":"10.1109/ICWS.2007.187","DOIUrl":null,"url":null,"abstract":"The service-oriented architecture (SOA) makes application development easier, because applications can be built from existing services with a bottom-up methodology. However, it is difficult to determine if a desired new service can be built from existing services. Not only the functional consistency of the existing services, but also the consistency of their non-functional (such as security) aspects must be verified. Message protection is an aspect of security. Every service needs an appropriate security policy defining the protection of messages exchanged between the parties to the service. Because of the intricacy of the Web services security policy language, it is difficult to verify the consistency of the security policies. We are developing a method to verify the consistency of security policies by abstracting them. Each security policy is abstracted, and then attached as a security type to the corresponding service in the application model. The security type denotes a security level for message protection. The security developer defines the possible abstraction methods. In this paper, we define the constraint of abstraction methods based on the semantics of the policy language. And also we state verifying the consistency of security types by using information flow analysis.","PeriodicalId":208234,"journal":{"name":"IEEE International Conference on Web Services (ICWS 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE International Conference on Web Services (ICWS 2007)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICWS.2007.187","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 13
Abstract
The service-oriented architecture (SOA) makes application development easier, because applications can be built from existing services with a bottom-up methodology. However, it is difficult to determine if a desired new service can be built from existing services. Not only the functional consistency of the existing services, but also the consistency of their non-functional (such as security) aspects must be verified. Message protection is an aspect of security. Every service needs an appropriate security policy defining the protection of messages exchanged between the parties to the service. Because of the intricacy of the Web services security policy language, it is difficult to verify the consistency of the security policies. We are developing a method to verify the consistency of security policies by abstracting them. Each security policy is abstracted, and then attached as a security type to the corresponding service in the application model. The security type denotes a security level for message protection. The security developer defines the possible abstraction methods. In this paper, we define the constraint of abstraction methods based on the semantics of the policy language. And also we state verifying the consistency of security types by using information flow analysis.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
