The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures

Authors:
Alessandro Armando;Wihem Arsac;Tigran Avanesov;Michele Barletta;Alberto Calvi;Alessandro Cappai;Roberto Carbone;Yannick Chevalier;Luca Compagna;Jorge Cuéllar;Gabriel Erzse;Simone Frau;Marius Minea;Sebastian Mödersheim;David von Oheimb;Giancarlo Pellegrino;Serena Elisa Ponta;Marco Rocchetto;Michael Rusinowitch;Mohammad Torabi Dashti;Mathieu Turuani;Luca Viganò
Affiliations:
AI-Lab, DIST, Università di Genova, Italy;SAP Research, Mougins, France;LORIA & INRIA Nancy Grand Est, France;Department of Computer Science, University of Verona, Italy;Department of Computer Science, University of Verona, Italy;AI-Lab, DIST, Università di Genova, Italy;AI-Lab, DIST, Università di Genova, Italy;IRIT, Université Paul Sabatier, France;SAP Research, Mougins, France;Siemens AG, Corporate Technology, Munich, Germany;Institute e-Austria and Politehnica University, Timişoara, Romania;Institute of Information Security, ETH Zurich, Switzerland;Institute e-Austria and Politehnica University, Timişoara, Romania;IBM Zurich Research Laboratory, Switzerland and DTU, Lyngby, Denmark;Siemens AG, Corporate Technology, Munich, Germany;SAP Research, Mougins, France;AI-Lab, DIST, Università di Genova, Italy and SAP Research, Mougins, France;Department of Computer Science, University of Verona, Italy;LORIA & INRIA Nancy Grand Est, France;Institute of Information Security, ETH Zurich, Switzerland;LORIA & INRIA Nancy Grand Est, France;Department of Computer Science, University of Verona, Italy
Venue:
TACAS'12 Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Year:
2012

Citing 17
Cited 2

Towards an Automatic Analysis of Security Protocols in First-Order Logic

CADE-16 Proceedings of the 16th International Conference on Automated Deduction: Automated Deduction
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Automatic Composition of Services with Security Policies

SERVICES '08 Proceedings of the 2008 IEEE Congress on Services - Part I
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps

Proceedings of the 6th ACM workshop on Formal methods in security engineering
Validating Integrity for the Ephemerizer's Protocol with CL-Atse

Formal to Practical Security
Synthesis and Composition of Web Services

Formal Methods for Web Services
The Open-Source Fixed-Point Model Checker for Symbolic Analysis of Security Protocols

Foundations of Security Analysis and Design V
Secure pseudonymous channels

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Abstraction by set-membership: verifying security protocols and web services with databases

Proceedings of the 17th ACM conference on Computer and communications security
Security validation of business processes via model-checking

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Security validation tool for business processes

Proceedings of the 16th ACM symposium on Access control models and technologies
StatVerif: Verification of Stateful Processes

CSF '11 Proceedings of the 2011 IEEE 24th Computer Security Foundations Symposium
Integrating automated and interactive protocol verification

FAST'09 Proceedings of the 6th international conference on Formal Aspects in Security and Trust
The AVISPA tool for the automated validation of internet security protocols and applications

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Verified reference implementations of WS-Security protocols

WS-FM'06 Proceedings of the Third international conference on Web Services and Formal Methods
The CL-Atse protocol analyser

RTA'06 Proceedings of the 17th international conference on Term Rewriting and Applications
ASLan++ -- a formal security specification language for distributed systems

FMCO'10 Proceedings of the 9th international conference on Formal Methods for Components and Objects

Towards the orchestration of secured services under non-disclosure policies

MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
KEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backends (CL-AtSe, OFMC, and SATMC), which provide a range of complementary automated reasoning techniques (including service orchestration, compositional reasoning, model checking, and abstract interpretation). We have applied the platform to a large number of industrial case studies, collected into the AVANTSSAR Library of validated problem cases. In doing so, we unveiled a number of problems and vulnerabilities in deployed services. These include, most notably, a serious flaw in the SAML-based Single Sign-On for Google Apps (now corrected by Google as a result of our findings). We also report on the migration of the platform to industry.