ABSTRACT
Service Oriented Architecture with underlying technologies like web services and web service orchestration opens new vistas for integration among business processes operating in heterogeneous environments. However, such dynamic collaborations require a highly secure environment at each respective business partner site. Existing web services standards address the issue of security only on the service provider platform. The partner platforms to which sensitive information is released have till now been neglected. Remote Attestation is a relatively new field of research which enables an authorized party to verify that a trusted environment actually exists on a partner platform. To incorporate this novel concept in to the web services realm, a new mechanism called WS-Attestation has been proposed. This mechanism provides a structural paradigm upon which more fine-grained solutions can be built. In this paper, we present a novel framework, Behavioral Attestation for Web Services, in which XACML is built on top of WS-Attestation in order to enable more flexible remote attestation at the web services level. We propose a new type of XACML policy called XACML behavior policy, which defines the expected behavior of a partner platform. Existing web service standards are used to incorporate remote attestation at the web services level and a prototype is presented, which implements XACML behavior policy using low-level attestation techniques.
- IAIK: Institute for Applied Information Processing and Communications, Graz University of Technology. http://www. iaik. tugraz. at/.Google Scholar
- Security-Enhanced Linux (SELinux). http://www.nsa. gov/ selinux/.Google Scholar
- Sun's XACML Implementation. http://sunxacml.sourceforge. net.Google Scholar
- Trusted Computing for the Java(tm) Platform. available at,. http://trustedjava. sourceforge. net/.Google Scholar
- Trusted Computing Group (TCG). https://www.trustedcomputinggroup.org/.Google Scholar
- TCG Specification Architecture Overview v1.2, page 11--12. Technical report, Trusted Computing Group, April 2004.Google Scholar
- SAML 2.0 profile of XACML v2.0. Technical report, OASIS, February 2005.Google Scholar
- M. Alam, X. Zhang, M. Nauman, T. Ali, and J. P. Seifert. Model-based Behavioral Attestation. In SACMAT'08: Proceedings of the thirteenth ACM symposium on Access control models and technologies., New York, NY, USA, 2008. ACM Press. Google ScholarDigital Library
- Masoom Alam, Qi Li, Xinwen Zhang, and Jean-Pierre Seifert. Usage control platformization via trustworthy selinux. In ASIACCS'08: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, 2008. Google ScholarDigital Library
- Masoom Alam, Jean-Pierre Seifert, and Xinwen Zhang. A model-driven framework for trusted computing based systems. In EDOC'07: Proceedings of the 11th IEEE International Enterprise Distributed Object Computing Conference, page 75, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- S. Anderson, J. Bohren, T. Boubez, et al. Web Services Trust Language (WS-Trust). Public draft release, Actional Corporation, BEA Systems, Computer Associates International, International Business Machines Corporation, Layer, 7.Google Scholar
- B. Atkinson, G. Della-Libera, S. Hada, M. Hondo, P. Hallam-Baker, J. Klein, B. LaMacchia, P. Leach, J. Manferdelli, H. Maruyama, et al. Web Services Security (WS-Security). Version, 1.Google Scholar
- Advanced Micro Devices. AMD Secure Virtual Machine Architecture Reference Manual. AMD, 2005.Google Scholar
- David Grawrock. The Intel Safer Computing Initiative Building Blocks for Trusted Computing. Intel Press, http://www.intel.com/intelpress/sum secc.htm, 2005.Google Scholar
- Trent Jaeger, Reiner Sailer, and Umesh Shankar. PRIMA: Policy-Reduced Integrity Measurement Architecture. In SACMAT'06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 19--28, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura, and Sumit Shah. First experiences using xacml for access control in distributed systems. In XMLSEC'03: Proceedings of the 2003 ACM workshop on XML security, pages 25--37, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- F. Mayer, K. MacMillan, and D. Caplan. SELinux by Example: Using Security Enhanced Linux. Prentice Hall, 2006. Google ScholarDigital Library
- Aarthi Nagarajan, Vijay Varadharajan, and Michael Hitchens. Trust Management for Trusted Computing Platforms in Web Services. In STC 07: The Second ACM Workshop on Scalable Trusted Computing, under ACM CCS 07, Virginia, USA, 2007. ACM. Google ScholarDigital Library
- Jaehong Park and Ravi Sandhu. Towards Usage Control Models: Beyond Traditional Access Control. In SACMAT'02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 57--64, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
- Siani Pearson. Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2002. Google ScholarDigital Library
- Ahmad-Reza Sadeghi and Christian Stüble. Property-based Attestation for Computing Platforms: Caring about Properties, not Mechanisms. In NSPW'04: Proceedings of the 2004 Workshop on New Security Paradigms, pages 67--77, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- David Safford, Jeff Kravitz, and Leendert van Doorn. Take Control of TCPA. Linux J., 2003(112):2, 2003. Google ScholarDigital Library
- Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 16--16, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- Elaine Shi, Adrian Perrig, and Leendert Van Doorn. BIND: A Fine-Grained Attestation Service for Secure Distributed Systems. In SP'05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 154--168, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- Z. Song, S. Lee, and R. Masuoka. Trusted web service. The Second Workshop on Advances in Trusted Computing (WATCS06 Fall), 2006.Google Scholar
- Web Services Policy 1.2. http://www. w3. org/Submission/ WS-Policy/.Google Scholar
- XACML 2.0 Specification Set. Available at: http://www.oasis-open.org/committees/tc home.php?wg abbrev=xacml.Google Scholar
- S. Yoshihama, T. Ebringer, M. Nakamura, S. Munetoh, T. Mishina, and H. Maruyama. WS-Attestation: Enabling Trusted Computing on Web Services. Test and Analysis of Web Services, pages 441--469, 2007.Google ScholarCross Ref
Index Terms
- Behavioral attestation for web services (BA4WS)
Recommendations
Model-based behavioral attestation
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologiesRemote attestation is an important characteristic of trusted computing technology which provides reliable evidence that a trusted environment actually exists. Existing approaches for the realization of remote attestation measure the trustworthiness of a ...
Behavioral Attestation for Web Services using access policies
Service Oriented Architecture with underlying technologies like web services and web service orchestration opens new vistas for integration among business processes operating in heterogeneous environments. However, such dynamic collaborations require a ...
Composing Web Services: A QoS View
An Internet application can invoke several services--a stock-trading Web service, for example, could invoke a payment service, which could then invoke an authentication service. Such a scenario is called a composite Web service, and it can be specified ...
Comments