Secure sessions for Web services
ACM Transactions on Information and System Security (TISSEC)
Verifying policy-based web services security
ACM Transactions on Programming Languages and Systems (TOPLAS)
Secure compilation of a multi-tier web language
Proceedings of the 4th international workshop on Types in language design and implementation
Tisa: A Language Design and Modular Verification Technique for Temporal Policies in Web Services
ESOP '09 Proceedings of the 18th European Symposium on Programming Languages and Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009
UTP semantics for web services
IFM'07 Proceedings of the 6th international conference on Integrated formal methods
TAPIDO: trust and authorization via provenance and integrity in distributed objects
ESOP'08/ETAPS'08 Proceedings of the Theory and practice of software, 17th European conference on Programming languages and systems
Formal methods and hybrid real-time systems
UTP'08 Proceedings of the 2nd international conference on Unifying theories of programming
A probabilistic BPEL-like language
UTP'10 Proceedings of the Third international conference on Unifying theories of programming
Hi-index | 0.00 |
An XML web service is, to a first approximation, an RPC service in which requests and responses are encoded in XML as SOAP envelopes, and transported over HTTP. We consider the problem of authenticating requests and responses at the SOAP-level, rather than relying on transport-level security. We propose a security abstraction, inspired by earlier work on secure RPC, in which the methods exported by a web service are annotated with one of three security levels: none, authenticated, or both authenticated and encrypted. We model our abstraction as an object calculus with primitives for defining and calling web services. We describe the semantics of our object calculus by translating to a lower level language with primitives for message passing and cryptography. To validate our semantics, we embed correspondence assertions that specify the correct authentication of requests and responses. By appeal to the type theory for cryptographic protocols of Gordon and Jeffrey's Cryptyc, we verify the correspondence assertions simply by typing. Finally, we describe an implementation of our semantics via custom SOAP headers.