ABSTRACT
The ability to automatically compose security policies created by multiple organizations is fundamental to the development of scalable security systems. The diversity of policies leads to conflicts and the need to resolve priorities between rules. In this paper we explore the concept of defeasible policy composition, wherein policies are represented in defeasible logic and composition is based on rules for non-monotonic inference. This enables policy writers to assert rules tentatively; when policies are composed the policy with the firmest position takes precedence. In addition, the structure of our policies allows for composition to occur using a single operator; this allows for entirely automated composition. We argue that this provides a practical system that can be understood by typical policy writers, analyzed rigorously by theoreticians, and efficiently automated by computers. We aim to partially validate these claims here with a formulation of defeasible policy composition for web services, an emerging foundation for B2B commerce on the World Wide Web.
- E. S. Al Shaer and H. H. Hamend. Discovery of policy anomalies in distributed firewalls. In IEEE INFOCOMM , 2004.Google ScholarCross Ref
- Amazon web services. Web Page, Jan. 2006. www.amazon.com/gp/aws/landing.html.Google Scholar
- G. Antoniou, D. Billington, and M. J. Maher. On the analysis of regulations using defeasible rules. In HICSS '99: Proceedings of the Thirty-second Annual Hawaii International Conference on System Sciences-Volume 6, page 6033, 1999. Google ScholarDigital Library
- G. Antoniou and A. Ghose. What is default reasoning good for? applications revisited. In 32nd Hawaii International Conference on System Sciences, Jan. 1999 Google ScholarDigital Library
- G. Antoniou, M. J. Maher, and D. Billington. Defeasible logic versus logic programming without negation as failure. Journal of Logic Programming, 42(1):47--57, 2000.Google ScholarCross Ref
- S. Batres and C. Ferris (Editors). Web services reliable messaging policy assertion(WS-RM Policy). Specification, Feb. 2005. msdn.microsoft.com/library/en-us/dnglobspec/html/WS-RMPolicy.pdf.Google Scholar
- E. Bertino, S. Jajodia, and P. Samarati. Supporting multiple access control policies in database systems. In IEEE Symposium on Security and Privacy, pages 94--109, 1996. Google ScholarDigital Library
- K. Bhargavan, C. Fournet, and A. D. Gordon. Verifying policy-based security for web services. In 11th ACM conference on Computer and Communications Security, pages 268--277, Oct. 2004. Google ScholarDigital Library
- K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse. Verified interoperable implementations of security protocols. In Computer Security Foundations Workshop (CSFW 06), Venice, Italy, July 2006. IEEE. Google ScholarDigital Library
- C. Bidan and V. Issarny. Dealing with multi-policy security in large open distributed systems. In European Symposium on Research in Computer Security (ESORICS), pages 51--66, 1998. Google ScholarDigital Library
- P. Bonatti, S. D. C. di Vimercati, and P. Samarati. A modular approach to composing access control policies. In 7th ACM Conference on Computer and Communications Security (CCS '00), pages 164--173, Nov. 2000. Google ScholarDigital Library
- L. Cholvy and F. Cuppens. Analyzing consistency of security policies. In 18th IEEE Computer Society Symposium on Research in Security and Privacy, 1997. Google ScholarDigital Library
- D. Eastlake and J. Reagle(Chairs). W3C XML-DSig working group. Web Page, Jan. 2006. www.w3.org/Signature/.Google Scholar
- Web services reliable messaging protocol(WS-R eliable M essaging). Specification, Feb. 2005. msdn.microsoft.com/library/en-us/dnglobspec/html/WS-ReliableMessaging.p%df.Google Scholar
- I. Foster, C. Kesselman, J. M. Nick, and S. Tuecke. The physiology of the grid: An open grid services architecture for distributed systems integration. In Open Grid Service Infrastructure Working Group, Global Grid Forum, Jun. 2002. Google ScholarDigital Library
- K. Frankish. Non-monotonic inference. In The Encyclopedia of Language and Linguistics. Elsevier, second edition, 2005.Google Scholar
- Google web APIs. Web Page, Jan. 2006. www.google.com/apis/.Google Scholar
- G. Governatori, A. H. M. ter Hofstede, and P. Oaks. Defeasible logic for automated negotiation. In P. Swatman and P. M. Swatman, editors, Proceedings of CollECTeR, 2000.Google Scholar
- G. Governatori, A. H. M. ter Hofstede, and P. Oaks. Is defeasible logic applicable? In G. Antoniou and G. Governatori, editors, Proceedings of the 2nd Australasian Workshop on Computational Logic, pages 47--62, Brisbane January 2001. Queensland University of Technology.Google Scholar
- B. N. Grosof, Y. Labrou, and H. Y. Chan. A declarative approach to business rules in contracts: courteous logic programs in XML. In ACM Conference on Electronic Commerce, pages 68--77, 1999. Google ScholarDigital Library
- J. Halpern and V. Weissman. Using first-order logic to reason about policies. In IEEE Computer Security Foundations Workshop (CSFW '03), Jun. 2003.Google ScholarCross Ref
- S. Horrell. Web services enhancements 2.0 support for WS-P olicy. Web Page, July 2004. msdn.microsoft.com/library/en-us/dnwse/html/wse2wspolicy.asp.Google Scholar
- C. Kaler and A. Nadalin (Editors). Web services federation language (WS-F ederation). Specification, Jul. 2003. www-106.ibm.com/developerworks/webservices/library/ws-fed/.Google Scholar
- E. C. Lupu and M. Sloman. Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering, 25(6):852--869, 1999. Google ScholarDigital Library
- K. D. Lux, M. J. May, N. L. Bhattad, and C. A. Gunter. WSE mail: Secure internet messaging based on web services. In International Conference on Web Services, Orlando, FL, July 2005. Google ScholarDigital Library
- M. J. Maher. Propositional defeasible logic has linear complexity. Theory and Practice of Logic Programming, 1(6):691--711, 2001. Google ScholarDigital Library
- M. J. May, W. Shin, C. A. Gunter, and I. Lee. Securing the drop-box architecture for assisted living. In Formal Methods in Software Engineering (FMSE '06), Alexandria, VA, November 2006. ACM. Google ScholarDigital Library
- M. McDougall, R. Alur, and C. A. Gunter. A model-based approach to integrating security policies for embedded devices. In ACM EMSOFT, Sept. 2004. Google ScholarDigital Library
- Michael McDougall. Modeling and Analyzing Integrated Policies. PhD thesis, University of Pennsylvania, 2004. Google ScholarDigital Library
- A. Nadalin (Editor). Web services security policy language (WS-SecurityPolicy). Web Services Specification, 2002. www.verisign.com/wss/WS-SecurityPolicy.pdf.Google Scholar
- D. Nute. Defeasible logic. In 14th International Conference on Applications of Prolog, Oct. 2001.Google Scholar
- J. Reagle (Chair). W3C XML encryption working group. Web Page, Jan. 2006. www.w3.org/Encryption/2001/.Google Scholar
- D. M. Reeves, M. P. Wellman, B. N. Grosof, and H. Y. Chan. Automated negotiation from declarative contract descriptions. In 17th National Conference on Artificial Intelligence, Workshop on Knowledge-Based Electronic Markets (KBEM), Jul. 2000. Google ScholarDigital Library
- A. Rock. Deimos: A query answering defeasible logic system. Technical report, Griffith University, Mar. 2004 www.cit.gu.edu.au/~arock/defeasible/doc/Deimos-long.pdf.Google Scholar
- J. Schlimmer (Editor). Web services policy framework (WS-Policy). Web Services Specification, 2004. ftp://www6.software.ibm.com/software/developer/library/ws-policy.pdf.Google Scholar
- C. Sharp (Editor). Web services policy attachment (WS-P olicy A ttachment). Specification, Sept. 2004. msdn.microsoft.com/library/en us/dnglobspec/html/ws-policyattachment.as%p.Google Scholar
- SOAP version 1.2. W3C Recommendation, Jan. 2006. www.w3.org/TR/soap12.Google Scholar
Index Terms
- Defeasible security policy composition for web services
Recommendations
Security Policy Composition for Composite Web Services
An application based on the Service-Oriented Architecture (SOA) consists of an assembly of services, which is referred to as a composite service. A composite service can be implemented from other composite services, and hence, the application could have ...
Using Semantics for Policy-Based Web Service Composition
Proliferation of Web technologies and the ubiquitous Internet has resulted in a tremendous increase in the need to deliver one-stop Web services, which are often composed of multiple component services that cross organizational boundaries. It is ...
Security Policy Composition for Composite Services
ICWE '08: Proceedings of the 2008 Eighth International Conference on Web EngineeringAn application based Service-Oriented Architecture(SOA) consists of an assembly of external services and the application is called as a composite service. Acomposite service could be implemented by other composite services hence the application could ...
Comments