Towards an Automatic Analysis of Web Service Security

Authors:
Yannick Chevalier;Denis Lugiez;Michaël Rusinowitch
Affiliations:
IRIT, Team LiLac, Université de Toulouse, France;LIF, CNRS, Aix-Marseille Université, France;LORIA-INRIA-Lorraine, France
Venue:
FroCoS '07 Proceedings of the 6th international symposium on Frontiers of Combining Systems
Year:
2007

Citing 15
Cited 0

Rewrite systems

Handbook of theoretical computer science (vol. B)
Unification in the union of disjoint equational theories: combining decision procedures

Journal of Symbolic Computation
Term rewriting and all that

Term rewriting and all that
Strand spaces: proving security protocols correct

Journal of Computer Security
Towards an Automatic Analysis of Security Protocols in First-Order Logic

CADE-16 Proceedings of the 16th International Conference on Automated Deduction: Automated Deduction
An NP Decision Procedure for Protocol Insecurity with XOR

LICS '03 Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science
A Meta-Notation for Protocol Analysis

CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Protocol Insecurity with Finite Number of Sessions is NP-Complete

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Symbolic protocol analysis with an Abelian group operator or Diffie-Hellman exponentiation

Journal of Computer Security
Associative-commutative deducibility constraints

STACS'07 Proceedings of the 24th annual conference on Theoretical aspects of computer science
A symbolic intruder model for hash-collision attacks

ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
Algebraic intruder deductions

LPAR'05 Proceedings of the 12th international conference on Logic for Programming, Artificial Intelligence, and Reasoning
Combining intruder theories

ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
The AVISPA tool for the automated validation of internet security protocols and applications

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
The finite variant property: how to get rid of some algebraic properties

RTA'05 Proceedings of the 16th international conference on Term Rewriting and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle non-deterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By non-trivial extension of the combination techniques of [3] we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to problems in simpler theories.