Automata-based verification of security requirements of composite web services

Hongyu Sun, Samik Basu, Vasant Honavar, Robyn Lutz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

With the increasing reliance of complex real-world applications on composite web services assembled from independently developed component services, there is a growing need for effective approaches to verifying that a composite service not only offers the required functionality but also satisfies the desired non-functional requirements (NFRs). In high-assurance applications such as traffic control, medical decision support, and coordinated response to civil emergencies, of special concern are NFRs having to do with security, safety and reliability of composite services. Current approaches to verifying NFRs of composite services (as opposed to individual services) remain largely ad-hoc and informal in nature. In this paper we develop techniques for ensuring that a composite service meets the user-specified NFRs expressible in the form of hard constraints e.g., "response time has to be less than 5 minutes." We introduce an automata-based framework for verifying that a composite service satisfies the desired NFRs based on the known guarantees regarding the non-functional properties of the component services. We further show how to improve the efficiency of verifying that a composite service indeed satisfies a desired set of NFRs by: (i) Exploiting information about the applicability of specific NFRs (e.g., security) only to certain subsets of the component services that make up a composite service to minimize the verification effort and (ii) Identifying inconsistencies between NFRs with overlapping scopes. We illustrate how our approach can be used to verify the security requirements for an Emergency Management System. We also show how the approach can be used to verify whether a composite service satisfies any desired set of NFRs that can be expressed in the form of hard constraints of a quantitative nature.

Original languageEnglish (US)
Title of host publicationProceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010
Pages348-357
Number of pages10
DOIs
StatePublished - Dec 1 2010
Event2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010 - San Jose, CA, United States
Duration: Nov 1 2010Nov 4 2010

Publication series

NameProceedings - International Symposium on Software Reliability Engineering, ISSRE
ISSN (Print)1071-9458

Other

Other2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010
CountryUnited States
CitySan Jose, CA
Period11/1/1011/4/10

Fingerprint

Web services
Composite materials
Traffic control

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Sun, H., Basu, S., Honavar, V., & Lutz, R. (2010). Automata-based verification of security requirements of composite web services. In Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010 (pp. 348-357). [5635065] (Proceedings - International Symposium on Software Reliability Engineering, ISSRE). https://doi.org/10.1109/ISSRE.2010.20
Sun, Hongyu ; Basu, Samik ; Honavar, Vasant ; Lutz, Robyn. / Automata-based verification of security requirements of composite web services. Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010. 2010. pp. 348-357 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE).
@inproceedings{f33a8db11e48478db37451ba7961aff2,
title = "Automata-based verification of security requirements of composite web services",
abstract = "With the increasing reliance of complex real-world applications on composite web services assembled from independently developed component services, there is a growing need for effective approaches to verifying that a composite service not only offers the required functionality but also satisfies the desired non-functional requirements (NFRs). In high-assurance applications such as traffic control, medical decision support, and coordinated response to civil emergencies, of special concern are NFRs having to do with security, safety and reliability of composite services. Current approaches to verifying NFRs of composite services (as opposed to individual services) remain largely ad-hoc and informal in nature. In this paper we develop techniques for ensuring that a composite service meets the user-specified NFRs expressible in the form of hard constraints e.g., {"}response time has to be less than 5 minutes.{"} We introduce an automata-based framework for verifying that a composite service satisfies the desired NFRs based on the known guarantees regarding the non-functional properties of the component services. We further show how to improve the efficiency of verifying that a composite service indeed satisfies a desired set of NFRs by: (i) Exploiting information about the applicability of specific NFRs (e.g., security) only to certain subsets of the component services that make up a composite service to minimize the verification effort and (ii) Identifying inconsistencies between NFRs with overlapping scopes. We illustrate how our approach can be used to verify the security requirements for an Emergency Management System. We also show how the approach can be used to verify whether a composite service satisfies any desired set of NFRs that can be expressed in the form of hard constraints of a quantitative nature.",
author = "Hongyu Sun and Samik Basu and Vasant Honavar and Robyn Lutz",
year = "2010",
month = "12",
day = "1",
doi = "10.1109/ISSRE.2010.20",
language = "English (US)",
isbn = "9780769542553",
series = "Proceedings - International Symposium on Software Reliability Engineering, ISSRE",
pages = "348--357",
booktitle = "Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010",

}

Sun, H, Basu, S, Honavar, V & Lutz, R 2010, Automata-based verification of security requirements of composite web services. in Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010., 5635065, Proceedings - International Symposium on Software Reliability Engineering, ISSRE, pp. 348-357, 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010, San Jose, CA, United States, 11/1/10. https://doi.org/10.1109/ISSRE.2010.20

Automata-based verification of security requirements of composite web services. / Sun, Hongyu; Basu, Samik; Honavar, Vasant; Lutz, Robyn.

Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010. 2010. p. 348-357 5635065 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Automata-based verification of security requirements of composite web services

AU - Sun, Hongyu

AU - Basu, Samik

AU - Honavar, Vasant

AU - Lutz, Robyn

PY - 2010/12/1

Y1 - 2010/12/1

N2 - With the increasing reliance of complex real-world applications on composite web services assembled from independently developed component services, there is a growing need for effective approaches to verifying that a composite service not only offers the required functionality but also satisfies the desired non-functional requirements (NFRs). In high-assurance applications such as traffic control, medical decision support, and coordinated response to civil emergencies, of special concern are NFRs having to do with security, safety and reliability of composite services. Current approaches to verifying NFRs of composite services (as opposed to individual services) remain largely ad-hoc and informal in nature. In this paper we develop techniques for ensuring that a composite service meets the user-specified NFRs expressible in the form of hard constraints e.g., "response time has to be less than 5 minutes." We introduce an automata-based framework for verifying that a composite service satisfies the desired NFRs based on the known guarantees regarding the non-functional properties of the component services. We further show how to improve the efficiency of verifying that a composite service indeed satisfies a desired set of NFRs by: (i) Exploiting information about the applicability of specific NFRs (e.g., security) only to certain subsets of the component services that make up a composite service to minimize the verification effort and (ii) Identifying inconsistencies between NFRs with overlapping scopes. We illustrate how our approach can be used to verify the security requirements for an Emergency Management System. We also show how the approach can be used to verify whether a composite service satisfies any desired set of NFRs that can be expressed in the form of hard constraints of a quantitative nature.

AB - With the increasing reliance of complex real-world applications on composite web services assembled from independently developed component services, there is a growing need for effective approaches to verifying that a composite service not only offers the required functionality but also satisfies the desired non-functional requirements (NFRs). In high-assurance applications such as traffic control, medical decision support, and coordinated response to civil emergencies, of special concern are NFRs having to do with security, safety and reliability of composite services. Current approaches to verifying NFRs of composite services (as opposed to individual services) remain largely ad-hoc and informal in nature. In this paper we develop techniques for ensuring that a composite service meets the user-specified NFRs expressible in the form of hard constraints e.g., "response time has to be less than 5 minutes." We introduce an automata-based framework for verifying that a composite service satisfies the desired NFRs based on the known guarantees regarding the non-functional properties of the component services. We further show how to improve the efficiency of verifying that a composite service indeed satisfies a desired set of NFRs by: (i) Exploiting information about the applicability of specific NFRs (e.g., security) only to certain subsets of the component services that make up a composite service to minimize the verification effort and (ii) Identifying inconsistencies between NFRs with overlapping scopes. We illustrate how our approach can be used to verify the security requirements for an Emergency Management System. We also show how the approach can be used to verify whether a composite service satisfies any desired set of NFRs that can be expressed in the form of hard constraints of a quantitative nature.

UR - http://www.scopus.com/inward/record.url?scp=79952016774&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79952016774&partnerID=8YFLogxK

U2 - 10.1109/ISSRE.2010.20

DO - 10.1109/ISSRE.2010.20

M3 - Conference contribution

AN - SCOPUS:79952016774

SN - 9780769542553

T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE

SP - 348

EP - 357

BT - Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010

ER -

Sun H, Basu S, Honavar V, Lutz R. Automata-based verification of security requirements of composite web services. In Proceedings - 2010 IEEE 21st International Symposium on Software Reliability Engineering, ISSRE 2010. 2010. p. 348-357. 5635065. (Proceedings - International Symposium on Software Reliability Engineering, ISSRE). https://doi.org/10.1109/ISSRE.2010.20