A model for specification, composition and verification of access control policies and its application to web services

Document Type: ORIGINAL RESEARCH PAPER

Authors

Abstract

Despite significant advances in the access control domain, requirements of new computational environments like web services still raise new challenges. Lack of appropriate method for specification of access control policies (ACPs), composition, verification and analysis of them have all made the access control in the composition of web services a complicated problem. In this paper, a new independent formal model called Constrained Policy Graph (CPG) for specification of ACPs and their composition as well as verification of conflict or incompatibility among the ACPs is represented. It is shown how CPG can be used in modeling and verification of web service composition ACPs. Also the application of CPG for modeling policies in BPEL processes -as the most common composition method for web services- is illustrated.

Keywords


[1] E. Bertino, C. Bettini, E. Ferrari, P. Samarati. A Temporal Access Control Mechanism for Database systems. IEEE Transactions on knowledge and data engineering, 8(1): 67-80, February 1996.

[2] E. Bertino, C. Bettini, E. Ferrari, P. Samarati. An Access Control Model Supporting Periodicity Constraints and Temporal Reasoning. ACM Transaction on Database Systems, 23(3): 213-285, September 1998.

[3] P. Bonatti, S. D. C. di Vimercati, P. Samarati. A modular approach to composing access control policies. In Proc. 7th ACM Conf. on Communications and Security, pages 164-173, August 2000.

[4] F. Siewe, A. Cau, H. Zedan. A Compositional Framework for Access Control Policies Enforcement. FMSE'03, Washington, DC, USA, pages 32-42, October 30, 2003.

[5] S. Jajodia, P. Samarati, V. S. Subrahmanian, E. Bertino. A unified framework for enforcing multiple access control policies. ACM transaction on Database Systems, June 2001.

[6] E. Bertino, S. Jajodia, and P. Samarati. A flexible authorization mechanism for relational data management systems. ACM Transactions on Information Systems, 17(2): 101-140, April 1999.

[7] Alexandre Alves, et al. Web Services Business Process Execution Language. OASIS, 31 January 2007.

[8] A. Jones, R. Lipton, and L. Snyder. A Linear Time Algorithm for Deciding Security. In Proc. 17th Annual Symp. On the Foundations of Computer Science, 33-41 October, 1976.

[9] M. Bishop. Conspiracy and information flow in the Take-Grant Protection Model. Journal of Computer Security, vol. 4(4), pp. 331-360, 1996.

[10] M. Bishop. Theft of Information in the Take-Grant Protection Model. Journal of Computer Security (1994/1995).

[11] M. Bishop. The transfer of information and authority in a protection system. ACM, 1979.

[12] S. D. C. di Vimercati, P. Samarati, S. Jajodia. Policies, models, and languages for access control. In S. Bhalla, editor, DNIS, volume 3433 of Lecture Notes in Computer Science, pages 225-237, Springer, 2005.

[13] A.Charfi, M.Mezini. Middleware Services for Web Service Compositions, Chiba, Japan, ACM.WWW 2005.

[14] M. Rouached, Claude Godart. Securing Web Service Compositions: Formalizing Authorization Policies Using Event Calculus. ICSOC 2006: 440-446.

[15] Z. Derakhshandeh, B. Tork Ladani, N. Nematbakhsh. Verification of Access Control Policies in Composition of Web Services Using Take-Grant Protection Model. In Proceedings of the fourth Iranian Society of Cryptology Conference (ISCC07), Iran University of Science and Technology, October 16-18, 2007.

[16] Cheng, Y., Lee, E. W. and Dilip, K. L. Web Services Composition- An Overview of Standards. Information Technology Standards Committee, Section Four, Oct. 2004.

[17] A. Assaf et al. Web Service Choreography Interface 1.0. W3C, August 2002.

[18] Ter Beek, M.H., Bucchiarone, A. and Gnesi, S. A Survey on Service Composition Approaches: From Industrial Standards to Formal Methods. Technical Report 2006-TR-15, ISTI, Consiglio Nazionale delle Ricerche.

[19] Salaun, G., Bordeaux, L. and Schaerf, M. Describing and Reasoning on Web Services using Process Algebra. In Proceedings IEEE International Conference on Web Services, pages 43-50, 2004.

[20] Ferrara, A. Web Services: a Process Algebra Approach. In Proceedings of the 2nd International Conference on Service-Oriented Computing (ICSOC'04), New York, NY, pages 242-251. ACM Press, 2004.

[21] G. Diaz, Juan-Jose Pardo, Mara-Emilia Cambronero. Verification of Web Services with Timed Automata. Electronic Notes in Theoretical Computer Science 157 (2006) 19-34.

[22] Mariya Koshkina, Franck van Breugel. Verification of Business Processes for Web Services. York University, Department of Computer Science, October 2003.

[23] L.G. Meredith, S. Bjorg. Contracts and Types. Communications of the ACM, 46, No. 10, pp. 41-47, October 2003.

[24] H. Schlingloff, A. Martens, K. Schmidt. Modeling and Model Checking Web Services. Electronic Notes in Theoretical Computer Science 126 (2005) 3-26.

[25] Ganna Monakova, Oliver Kopp, and Frank Leymann. Improving Control Flow Verification in a Business Process using an Extended Petri Net. 1st Central European Workshop on Services and their Composition, ZEUS 2009, Stuttgart, Germany, March 2-3, (2009).

[26] Song W., Ma X., Ye C., Dou W. and L J. Timed Modeling and Verification of BPEL Processes Using Time Petri Nets. 9th International Conference on Quality Software, pp. 92-97.

[27] Zahra Derakhshandeh, Behrouz Tork Ladani, Naser Nematbakhsh. Using Constrained Policy Graph for Modeling and Analysis of The Web Service Composition Policies. In proceedings of the IADIS International Conference WWW/INTERNET 2008, Freiburg, Germany, 13-15 Oct. 2008.

[28] Zahra Derakhshandeh, Behrouz Tork Ladani, Naser Nematbakhsh. Application of Constraint Policy Graph for Specification and Analysis of Access Control Policies in BPEL processes. In Proceedings of the 6th International ISC Conference on Information Security and Cryptology (ISCISC'09), University of Isfahan, October 2009.

[29] M. Koch, L. V.Mancini, and F. Parisi-Presicce. Graph Based Specification of Access Control Policies. J. Comput. Syst. Sci., 71(1):133, 2005.

[30] Y. Li, H. Paik, and B. Benatallah. Formal consistency verification between BPEL process and privacy policy. In Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST '06), ACM, New York, USA, 2006.

[31] H. De Nivelle and I. Pratt-Hartmann. A resolution-based decision procedure for the two-variable fragment with equality. In Proc. IJCAR'01, vol. 2083 of LNAI, pp. 211-225. Springer, 2001.