Security is one of the major concerns in service oriented architecture (SOA). A lot of efforts have been devoted to provide better security mechanisms in the web service environment. However, ost of these approaches focus on individual web services and do not consider service compositions. Advanced security models allow a service to effectively control the accesses to its resources, but do not provide sufficient mechanisms to control the flow of critical information along the chain of services. In a composite service, information exchanged among component services is in the form of requests and responses. A request or a response may be computed from some critical data of a service and/or previous requests and responses. Such information flow may result in undesirable information leakage. Consider a service chain where service s1 accesses s2, and s2, in turn, accesses s3. The information returned from s3 to s2 may be used to compute some results that are further returned to s1. Current web service security architecture does not consider the data correlations in a service chain and provides no mechanisms to control such an information flow. And in this case, s1 may use the data received from s2 to infer s3's sensitive information, which may be undesired for s3.
This information flow problem has not been addressed in existing WS security models. Most of them assume that if s1 trusts s2, s1 trusts whoever s2 trusts. The reverse trust relations are also assumed. When the chain is long, the trust relations may be outside the control scope of a given service (or set of services). This may work for some application systems. However, for application systems with high security requirements, it may be desirable to provide mechanisms to empower the services to control the flow of their critical information in a service chain.
The information flow problem in a service chain can be easily addressed when centralized approaches to security are adopted. However, web services are going toward global scale and centralized solutions cannot scale up. When composite services span across multiple administrative domains, the information flow problem remains unsolved. Delegation models have been used for distributed access control in decentralized systems, but delegation may help pass the access privileges along a service chain while not able to handle for information flow control.
In this project, we develop a novel model to support fine-grained information flow control in composed services, namely, the Service Chain Information Flow Control (SCIFC) model. In SCIFC, we introduce the novel notions of back check procedure and pass-on certificate. Information flow control considers both the request flow and the response flow. In the request flow, the service chain is yet to be established. In a service chain s1, s2, s3, when s2 selecting s3, whether the information embedded in the requests can flow to the new service s3 should be back-checked with services s1. In the response flow, s3 should authorize the flow of its response information from s2 to s1 using a pass-on certificate. To improve efficiency, we also introduce the notions of carry-along policies, security classes, and transformation factors, to eliminate unnecessary checks. With SCIFC, we enable the web services to specify how to protect their information on a service chain without any leak of critical information to services they do not trust.