skip to main content
10.1145/1103022.1103024acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

An advisor for web services security policies

Published: 11 November 2005 Publication History

Abstract

We identify common security vulnerabilities found during security reviews of web services with policy-driven security. We describe the design of an advisor for web services security configurations, the first tool both to identify such vulnerabilities automatically and to offer redial advice. We report on its implentation as a plugin for Microsoft Web Services Enhancents (WSE).

References

[1]
M. Backes, B. Pfitzmann, S. Mödersheim, and L. Vigano. Symbolic and cryptographic analysis of the secure WS-Reliablessaging scenario. Unpublished draft, 2005.
[2]
K. Bhargavan, R. Corin, C. Fournet, and A. D. Gordon. Secure sessions for web services. In 2004 ACM Workshop on Secure Web Services (SWS), pages 11--22, October 2004.
[3]
K. Bhargavan, C. Fournet, and A. D. Gordon. Verifying policy-based security for web services. In 11th ACM Conference on Computer and Communications Security (CCS'04), pages 268--277, October 2004.
[4]
K. Bhargavan, C. Fournet, and A. D. Gordon. A santics for web services authentication. Theoretical Computer Science, 340(1):102--153, June 2005. See also Microsoft Research Technical Report MSR-TR-2003-83.
[5]
K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. TulaFale: A security tool for web services. In International Symposium on Formal Methods for Components and Objects (FMCO'03), volume 3188 of LNCS, pages 197--222. Springer, 2004. Tool available from http://Securing.WS.
[6]
B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, pages 82--96. IEEE Computer Society Press, 2001.
[7]
D. Box, F. Curbera, et al. Web Services Addressing (WS-Addressing), August 2004. W3C Mber Submission, at http://www.w3.org/Submission/ws-addressing/.
[8]
D. Box, F. Curbera, M. Hondo, C. Kaler, D. Langworthy, A. Nadalin, N. Nagaratnam, M. Nottingham, C. von Riegen, and J. Shewchuk. Web services policy framework (WS-Policy), May 2003. Version 1.1.
[9]
D. Box, M. Hondo, C. Kaler, H. Maruyama, A. Nadalin, N. Nagaratnam, P. Patrick, C. von Riegen, and J. Shewchuk. Web services policy assertions language (WS-PolicyAssertions), May 2003. Version 1.1.
[10]
G. Della-Libera, M. Gudgin, P. Hallam-Baker, M. Hondo, H. Granqvist, C. Kaler, H. Maruyama, M. McIntosh, A. Nadalin, N. Nagaratnam, R. Philpott, H. Prafullchandra, J. Shewchuk, D. Walter, and R. Zolfonoon. Web services security policy language (WS-SecurityPolicy), July 2005. Version 1.1.
[11]
G. Della-Libera, P.-Baker, M. Hondo, T. Janczuk, C. Kaler, H. Maruyama, A. Nadalin, N. Nagaratnam, A. Nash, R. Philpott, H. Prafullchandra, J. Shewchuk, E. Waingold, and R. Zolfonoon. Web services security policy language (WS-SecurityPolicy), Decber 2002. Version 1.0.
[12]
D. Dolev and A.C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT--29(2):198--208, 1983.
[13]
D. Eastlake, J. Reagle, D. Solo, M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon. XML-Signature Syntax and Processing, 2002. W3C Recommendation, at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/.
[14]
Foundstone. WSDigger, July 2005. A t www.foundstone.com/resources/proddesc/wsdigger.htm.
[15]
M. Fowler. Language workbenches: The killer-app for domain specific languages?, 2005. At http://www.martinfowler.com/articles/languageWorkbench.html.
[16]
A. D. Gordon and R. Pucella. Validating a web service security abstraction by typing. In Proceedings of the 2002 ACM workshop on XML Security, pages 18--29. ACM Press, 2002.
[17]
J. Hogg, H. de Lahitte, D. Gonzalez, P. Cibraro, P. Coupland, M. Bhao, and P. Slater. Microsoft WS--I Basic Security Profile 1.0 Sample Application. Microsoft Corporation, June 2005. Preview release for the .NET Framework version 1.1.
[18]
E. Kleiner and A. W. Roscoe. Web services security: A preliminary study using Casper and FDR. In Proceedings of Automated Reasoning for Security Protocol Analysis (ARSPA 04), 2004.
[19]
Microsoft Corporation. Web Services Enhancents (WSE) 2.0, 2004. At http://msdn.microsoft.com/webservices/building/wse/default.aspx.
[20]
A. Nadalin, C. Kaler, P. Hallam-Baker, and R. Monzillo. OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004), March 2004. OASIS Standard 200401, at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
[21]
R.M. Needham and M.D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993--999, 1978.
[22]
M. O'Neill. Mapping security to a services oriented architecture, March 2005. CASSIS'05 presentation, at http://wwwsop.inria.fr/everest/events/cassis05/Transp/oneill.ppt.
[23]
J. Scambray and M. Sha. Hacking Web Applications Exposed. McGraw-Hill/Osborne, 2002.
[24]
F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.
[25]
M. Tatsubori, T. Imamura, and Y. Nakamura. Best practice patterns and tool support for configuring secure web services messaging. In International Conference on Web Services (ICWS'04), pages 244--251, 2004.
[26]
L. Tobarra, D. Cazorla, F. Cuartero, and G. Diaz. Application of formal methods to the analysis of web services security. In 2nd International Workshop on Web Services and Formal Methods (WS-FM 2005), pages 215--229, Sep 2005.
[27]
J. Udell. Threat modeling, 2004. At http://weblog.infoworld.com/udell/2004/05/25.html.
[28]
W3C. SOAP Version 1.2, 2003. W3C Recommendation, at http://www.w3.org/TR/soap12.
[29]
A. Wiesmann, M. Curphey, A. van der Stock, and R. Stirbei, editors. A Guide to Building Secure Web Applications and Web Services. OWASP, 2.0 Black Hat edition, 2005. At http://www.owasp.org.

Cited By

View all

Index Terms

  1. An advisor for web services security policies

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SWS '05: Proceedings of the 2005 workshop on Secure web services
    November 2005
    98 pages
    ISBN:1595932348
    DOI:10.1145/1103022
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 11 November 2005

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. WS-security
    2. XML security
    3. policy-driven security
    4. web services

    Qualifiers

    • Article

    Conference

    CCS05
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)2
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2020)A Lightweight Approach for Policy-Based MessagingEvolutionary Computing and Mobile Sustainable Networks10.1007/978-981-15-5258-8_38(399-409)Online publication date: 1-Aug-2020
    • (2018)Extending OpenID Connect Towards Mission Critical ApplicationsCybernetics and Information Technologies10.2478/cait-2018-004118:3(93-110)Online publication date: 19-Sep-2018
    • (2017)SpinnerProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134628(176-188)Online publication date: 4-Dec-2017
    • (2016)Detection of XML Signature Wrapping Attack Using Node CountingProceedings of the 3rd International Symposium on Big Data and Cloud Computing Challenges (ISBCC – 16’)10.1007/978-3-319-30348-2_5(57-63)Online publication date: 23-Feb-2016
    • (2016)A histogram-based method for efficient detection of rewriting attacks in simple object access protocol messagesSecurity and Communication Networks10.1002/sec.9349:6(492-499)Online publication date: 1-Apr-2016
    • (2014)Enhance Matching Web Service Security Policies with SemanticKnowledge and Systems Engineering10.1007/978-3-319-02741-8_19(213-224)Online publication date: 2014
    • (2013)Making XML Signatures Immune to XML Signature Wrapping AttacksCloud Computing and Services Science10.1007/978-3-319-04519-1_10(151-167)Online publication date: 2013
    • (2012)Interoperability and Functionality of WS-* ImplementationsInternational Journal of Web Services Research10.4018/jwsr.20120701019:3(1-22)Online publication date: 1-Jul-2012
    • (2012)Ensuring XML Integrity Using Watermarking TechniquesProceedings of the 2012 Eighth International Conference on Signal Image Technology and Internet Based Systems10.1109/SITIS.2012.101(668-674)Online publication date: 25-Nov-2012
    • (2012)XML Signature Wrapping Angriffe wirksam unterbindenDatenschutz und Datensicherheit - DuD10.1007/s11623-012-0091-936:4(236-240)Online publication date: 18-Apr-2012
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media