Security-by-contract for web services

Authors:
Nicola Dragoni;Fabio Massacci
Affiliations:
Università degli Studi di Trento, Trento, Italy;Università degli Studi di Trento, Trento, Italy
Venue:
Proceedings of the 2007 ACM workshop on Secure web services
Year:
2007

Citing 15
Cited 3

Distributed rational decision making

Multiagent systems
ACM SIGAda Ada Letters

ACM SIGAda Ada Letters
A uniform framework for regulating service access and information release on the web

Journal of Computer Security
Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation

ACM Transactions on Information and System Security (TISSEC)
Policy Specification for Programmable Networks

IWAN '99 Proceedings of the First International Working Conference on Active Networks
Secure mediation: requirements, design, and architecture

Journal of Computer Security - IFIP 2000
Decentralized Trust Management

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Automated Trust Negotiation

Automated Trust Negotiation
An Adaptive Policy-Based Framework for Network Services Management

Journal of Network and Systems Management
Model-carrying code: a practical approach for safe execution of untrusted applications

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
An access control framework for business processes for web services

Proceedings of the 2003 ACM workshop on XML security
Automated trust negotiation using cryptographic credentials

Proceedings of the 12th ACM conference on Computer and communications security
Access control enforcement for conversation-based web services

Proceedings of the 15th international conference on World Wide Web
A Negotiation Scheme for Access Rights Establishment in Autonomic Communication

Journal of Network and Systems Management
Security-by-contract: toward a semantics for digital signatures on mobile code

EuroPKI'07 Proceedings of the 4th European conference on Public Key Infrastructure: theory and practice

A self-protecting and self-healing framework for negotiating services and trust in autonomic communication systems

Computer Networks: The International Journal of Computer and Telecommunications Networking
Provably correct inline monitoring for multithreaded Java-like programs

Journal of Computer Security - EU-Funded ICT Research on Trust and Security
Modeling and negotiating service quality

Service research challenges and solutions for the future internet

Quantified Score

Hi-index	0.00

Visualization

Abstract

The classical approach to access control of Web Services is to present a number of credentials for the access to a service and possibly negotiate their disclosure using a suitable negotiation protocol and a policy to protect them. In practice the "Web Service" is not really a single service but rather a set of services that can be accessed only through a suitable conversation. Further, in real-life we are often willing to trade the disclosure of personal attributes (frequent flyer number, car plate or AAA membership etc.) in change of additional services and only in a particular order. In this paper we propose a novel negotiation framework where services, needed credentials, and behavioral constraints on the disclosure of privileges are bundled together and that clients and servers have a hierarchy of preferences among the different bundles. While the protocol supports arbitrary negotiation strategies we sketch two concrete strategies (one for the clientand one for the service provider) that make it possible to successfully complete a negotiation when dealing with a co-operative partner and to resist attacks by malicious agentto "vacuum-clean" the preference policy of the honest participant.