A Discussion on Security Typing and Measurement for SOA


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Discussion on Security Typing and Measurement for SOA

  1. 1. A Discussion on Security Typing and Measurement for SOA Frank Tsui, Andy Wang, and Kai Qian School of Computing & Software Engineering Southern Polytechnic State University Marietta, Georgia, USA 30067 <ftsui@spsu.edu> ABSTRACT values that the security type may be assigned. The service performance characteristic may also be defined through a In a service oriented environment, using SOA technologies, performance type, which is in turn made explicit by listing the different business entities and services are combined together. set of values the performance type may be assigned. In software Such an environment introduces various security vulnerabilities. engineering we have learned that there is no one universal This paper proposes an innovative approach to address SOA measurement that can characterize a piece of software. application security through security typing. We first define Similarly, we would most likely need to use multiple metrics to security typing concepts, its declaration and definition, with a characterize a computing service in SOA. In this paper, we will simple security type, SST, as an example. We then explore focus our effort on the security attribute of a software service. various operations under this concept including type Any investment in SOA must be matched by the right equivalence, type compatibility, and type inference. We show, investments in security and business continuity [8]. The through unary and binary operational examples, that measuring openness nature of SOA raises new security issues and calls for security characteristics requires a clear understanding of the new and systematic solutions. Security has been studied metric scale level and that often times extending an ordinal scale extensively using different models. One popular avenue of metric to ratio level can be misleading. Our idea and approach endeavor is the access models such as RBAC[5,9] and RT[7]. to SST may be generalized in the future to more sophisticated Here, we will explore security as an attribute through the security typing. concept and model of typing. In a sense, typing is an implementation mechanism for the abstract attribute of software Keywords or service. While there have been considerations of attribute security typing, measurement, SOA based access control and policy management [1, 11], the study has been limited to designing of and an explication of specific INTRODUCTION languages for RT. With the popularity of Service Oriented Architecture, SOA [ 6 ], The rest of the paper is organized as follows. We will first the expectation of application software growth is increasing. define the general concept of attribute based security typing. An SOA is less of a new technical architecture but is, rather, more important component of this definition is the set of security of a new business paradigm for building application software values, V. The definition of the set V would be shown to be the from a collection of available services. Many facilities and key to the determination of measurement scales: i) nominal, ii) resources such as Web Service Definition Language and ordinal, iii) interval or iv) ratio from measurement theory [4]. Business Process Execution Language are available under the We then explore various operations under this concept. To banner of SOA. Every service deployed as a part of SOA simplify the discussion, this paper is written with a specific involves a mission-critical application software. Some of the security type, SST, as the example to illustrate the various traditional characteristics of software are still, if not more, perspectives of a security type. The concepts derived from using relevant under this new paradigm. These major attributes this simple SST type approach may be generalized to more include quality, security, maintainability, configurability and a complex and sophisticated security types. Security type, may, in long list of “ities.” Among these attributes, we are very turn, be used as a basis for designing security-typed language or interested in the security attribute because services interact with security-criteria based systems. Next, we illustrate how to use data, and data are critical. A company must ensure that its security typing for SOA objects and services. We conclude with services are available around the clock while maintaining the a discussion of future research issues. data integrity and privacy, allowing only legitimate users access to the data. SECURITY TYPING Any one of the service attributes or characteristics may be viewed as a property of the service. An attribute may be The notion of typing has been studied by programming language represented by a type and a corresponding set of values that experts and is readily available in textbooks such as [2,10]. We defines that type. For example, the security attribute may be propose to utilize this traditional notion of “typing” to explore viewed through a security type, which is defined by a set of
  2. 2. the attribute of security for software or services. We see two Perhaps, to illustrate the difference between declaration of SST immediate benefits with this approach. First, typing has been and definition of SST, it may be prudent to use different syntax thoroughly studied and widely used since 1970s. Therefore the to show the SV declaration and SV definition. One may use concept and principles of typing have been well known among braces, {null, identified, authenticated, registered}, for computing and IT personnel. Second, there is plenty of type declaration and brackets, <null, identified, authenticated, checking algorithms and tools available to be adopted for usage registered>, to stand for SV definition. in SOA. We will not discuss how identification, authentication or We define a type to be a mapping of a type-name to a set of registration is actually implemented in the SOA, but assume that values. More formally, we define a security type to be the they are enforced by the security mechanisms provided by the following. SOA infrastructure. The important point here is that a security type needs not only be declared but must also be defined. With - Let STN be security-type-names. the above definition of SV, we force SST to be a mathematical - Let V be a set of values. function. That is, a security variable, y, may be mapped into - A security type, ST, is a mapping of identified and/or authenticated if it is authenticated. But since STN -> V. authenticated subsumes identified here, we have There may be different security types. For example, one may SST(y) = authenticated define a security type based on the Common Criteria defined in the international standard ISO/IEC 15408 for computer security. Note that SV = <null, identified, authenticated, registered> is an In this case, one may define a security type, named STCC, to ordered set where the elements are defined in such manner that map into the 11 values representing the 11 Common Criteria or there is a “subsume” relation. Thus from metric theory [4], we STCC -> {Common Criteria}. Clearly, the value set, V, plays a know that the value set, SV, is beyond the nominal level, and is key role in defining the security type. A different definition of V at least at the ordinal level. That is the following ordinal will essentially provide a different security type, thus a different relationship holds for SV. denotation of security type. null < identified < authenticated < registered Here, for illustration purpose, we will propose a relatively simplified-security-type called SST. The value set for SST is Note that one may argue that the “subsume” relation is a partial defined as SV = {null, identified, authenticated, registered}. ordering rather than the total ordering portrayed here. A deeper SST, for example, may be viewed as a security typing that discussion and definition of the set SV is needed. We will not denotes the traceability of an entity. An entity participating in engage in that direction in this paper, except to comment that SOA paradigm may be required to represent this security here we view “<” as a binary relation defined on SV. If we attribute of traceability by an agreed to variable name, x, of SST interpret each value of SV as a set, we would have subset type. Thus the security attribute represented by a variable x of relationship among the members of SV. For instance, registered type SST may be shown as follows: is a proper subset of authenticated, authenticated is a proper subset of identified, and identified is a proper subset of null. Thus we are quite restrictive in our view of the “subsume” STT: x -> SV relation. It is easily recognizable that SST is just a typical enumerated A service or a piece of software in an SOA paradigm may type. However, the values of SV may contain further semantics. assign a variable, y, to type SST. This variable y may be The terms identified in the set SV require further clarification. embedded as part of a negotiation or orchestration of SOA. The set SV has been “declared” as {null, identified, Clearly, SST is just an example, and other more sophisticated authenticated, registered}, but we need to “define” this set. The security types may be declared and defined. The importance is value set, SV, will be defined as follows. that declaration of a security type is often not enough; the definition part gives it the semantics and plays a more vital role. - A software or service may be null, meaning we know nothing about it. With the security type declaration and definition, then we have two very vital elements for security within SOA. The first is - It may be identified, meaning its owner is established. Type Equivalence. Type Equivalence addresses the rules for determining whether two typed values are the same. A security variable, z, with its assigned value, alone is not enough. Service - It may be authenticated, meaning the identified owner A may express it self as one with security value “authenticated,” is ascertained to be who he/she says he/she is. and a Service B may also express itself as one with security value “authenticated.” This is not a problem when we are - It may be registered, meaning the authenticated owner processing within a well defined, single security type. However, has successfully registered the software or service unless both services A and B used the same security type, such within the business paradigm. as SST, these values may mean something totally different.
  3. 3. Thus Type Equivalence must be considered when we are faced the SV value of null, label(x) = 1 if x has the SV value of with multiple security types in heterogeneous domains of SOA. identified, etc. The operator rules are as follows. The second is Type Compatibility. This is the case where the - least (y) sets label(y) = 0. two security types may be declared and defined to be different, - most (y) sets label(y) = 3. but it is still possible to determine if the value of a type may be used in a meaningful way within certain context. Consider the - downgrade (y) = least(y), if label(y) = 0; otherwise business situation where there are multiple industry domains, set each with its own security type. It is possible that these different label(y) = label(y) - 1. security types are compatible if the types are defined with value - upgrade (y) = most(y), if label(y) =3; sets that are proper subsets with the same internal semantics otherwise set which provides the same ordering. We may define certain type label(y) = label(y) + 1. casting to be valid and others not. For example, we may define a SST’ security type by defining a With this definition, then upgrade(upgrade(y)) sets label(y) = SV’ = < null, identified, authenticated>, which is a proper label(y) + 2. Note that if label(y) + 2 > 3, then y is, by subset of SV. Then consider a variable, x, of type SST and a definition, set to most (y). The successive downgrade operations variable y of type SST’. The casting of x to y, which is like a are defined in a similar manner, but in reverse with a lower “downward” casting, such as the following pseudo-code should bound of label(y) = 0. be allowed, with care, because SV’ is a subset of SV. One may also consider binary operators. One obvious one is the assignment operator, := (x,y), which we have already utilized y := (SST’) x above. The value assignment of the security typed variable and the operations on the security variable may carry even a deeper In general, we would still admonish against such casting. The meaning. For example, assigning two SST security variables, x reverse, perhaps, should not be allowed. If one chooses to allow and y, expressed as follows, may carry different meanings. “upward” casting, then the rule must be very carefully considered. Type Compatibility is a vital issue that needs to be x := upgrade(y) explicitly articulated. In its simplest form, one may interpret this as just “improving” Even if the value sets are defined with the same number of the security value of y and assigning it the result as the value of elements with “syntactically similar” terms, we still need to be the security variable x. At a level where x and y may be wary of the semantics of the elements of the value set. Thus, for declared to be SST type but SST type is a type declaration for an service and/or software to operate with an SOA paradigm in Object instead of just a data, then our definition of assignment multiple industry domains, we need to determine if the security need to be expanded further. We will also note that there may be types are compatible and if type coercion [3] is allowed. much more discussions needed on the earlier mentioned unary cast operator, but in the interest of space that discussion will be While it may be interesting to consider polymorphism, for a subject of a future paper. security typing it is most likely not a good idea to have a service or software to be polymorphic across different security types until a business situation arises that demands such a scenario. BINARY OPERATIONS AND MEASUREMENT PROBLEMS UNARY OPERATIONS WITH SECURITY TYPED VARIABLES Earlier we considered Type Equivalence and Type Compatibility. For binary operators, we need to include the A security type, such as SST, which is defined with the concept of Type Inference. Type Inference addresses the issue enumerated values forming an ordered metric, also allows us to of determining the type of some expression based on the types further expand the definition. Variables, x and y, may be of the constituents. We show the problem of Type Inference declared and assigned a value as follows: from this traditional view with the abuse of the security type in a FOR loop example. However, more interestingly, we show a (declaration) SST y, x kind of type inference problem through binary operations used (assignment) y := authenticated as measurement. Also, note that the “label” function defined above provides us with a measurement of “degree-of-security” With such a declaration and assignment, several operations may or “degree-of-traceability” within the SST type. One may be meaningful for a security variables, x and y. These include interpret the label function as a measurement of 0, 1, 2, and 3 unary operators such as “upgrade,” “downgrade,” “least” and degrees of security. We will see that while the binary operations “most.” may seem to make algebraic sense, once the measurement of degree-of-security is included in the interpretations, there is First, define a label function for the variables of SST type such grave danger of potential misinterpretations. that it maps <null, identified, authenticated, registered> to a numeric set {0,1,2,3}, respectively. Then, label(x) = 0 if x has
  4. 4. First, consider the binary operator max(x,y) which is defined as security.” However, certain binary operation definitions may follows. lead one to dramatically erroneous interpretations of that metric. max(x,y) = x, if label(x) > label(y) ; Another area of danger is the overloading of typing. In an SOA = y, otherwise paradigm, software with most(y) or a service with least(x) may be requested. This is meaningful because SST is defined, and This binary operation looks innocuous with the interpretation both x and y are security attribute declared as SST type. that max operator results in the security variable with a higher However, security typed variables should not be loosely used or degree-of-security measurement; thus allowing us to pick the abused. It may be tempting, but the security typed variable entity with the higher SST type variable. should not be used as an iteration counter. That is, the form of iteration computing represented by the following pseudo-code Now, consider a more interesting binary operator, the difference should not be allowed. operator, diff(x,y), which is defined as follows. for (SST y := null; y < most(y) ; upgrade(y)) diff (x,y) = | label(x) – label(y) | This example illustrates the need for some strong type checking Diff is the absolute value of the difference between the label of for security typing. The exact rules for type checking have yet to x and label of y. Earlier, we stated that for SST type, SV values be defined as we gain experience in using security typing in formed an ordered set of values. With the “label” function, we software and services. appear to have further extended the measurement from ordinal scale to the next level, the interval scale. The reason why the SECURITY TYPING FOR OBJECTS IN SOA term, “appear,” is used will become apparent. If diff(x,y) = 2, it ENVIRONMENT would mean that the difference between the security attribute as defined by SST type for the security variables x and y is two In this section we show how the notion of security typed degree-of -security apart according to the label function. The variables may be extended to security typed Objects. We will semantic of two degrees is not clearly defined here because of take some liberty with the syntax and stay at the conceptual the following problem. Consider: level. This is one way to extend the concept, not necessarily the only way. An object may be of certain type. For example, an SST x, y, z ; object X may be of Class type Webserv in an SOA environment. x := null ; Then what does it mean to say this Class, Webserv, is also y := identified; security typed? Assume the same, previous SST security type z := authenticated definition; we define Webserv to be SST security typed as follows: Then, diff(x,y) = 1 = diff(y,z). This only means that the difference in degree-of-security is the same. But the real - Webserv includes an attribute y of type SST magnitude of the difference is not necessarily the same, even - Webserv includes a set of operational methods though both yielded the number 1. That is, the difference between null and identified is not necessarily the same as the - The Constructor of Webserv Objects initializes the difference between identified and authenticated. Although, we attribute y to one of the values of SV. have extended the measurement with the “label” function into the interval scale, it is really a misinterpretation. For the same Most of the concepts of unary and binary operators carry over reasoning from metric theory, defining a binary operator, and may be applied as the methods that need to be implemented ratio(x,y), such as the following would be dangerous. for the SST typed Webserv Class. However, the concepts of Type Equivalence, Type Compatibility, and Type Inference ratio (x,y) = label(x) / label (y) need to be re-examined. The notion of Type Equivalence for security typed variable was discussed earlier, and for security Suppose label(x) = 3, and label(y) = 1. Then the ratio operator typed Object this concept does not differ much from security would say that the degree-of- security for x is 3/1 or 3 times that variables. Similarly, Type Compatibility also extends well with of degree-of-security of y. This obviously is a misinterpretation possibly minor modification. of the measurement because while registered is more secure, it is not necessarily three times as secure as identified. One needs The third notion of Type Inference also carries over rather to be extremely careful in the definition of operators for the naturally. In assigning SST typed variable with a value from the security variables and extending its interpretation to some set SV to one that is of different value in the same SV is viewed metric. The basic definition of the security type must be well simply as either “increasing” or “decreasing” the value of the understood first. Then the measurement function must be used security attribute y. In the case of security typed Objects, the within the context of the measurement scale. We showed how assignment of one security typed object to another of the same one can, from an ordinal security type SST and using the “label” type, such as SST, could mean more than just adding or function, develop an ordinal scaled metric such as the “degree of subtracting the value of the security variable y. The rules for Type Inference will depend on how the operational methods are defined. For example, the statement, x := successor(y), which
  5. 5. was discussed earlier and made sense for security typed Second, the semantics of security typing deserves more variable, now needs a slightly object oriented perspective. If attention. Typing is a way of abstraction as well as a way to these were Objects X and Y, then Object X is a successor of provide meaning to a collection of raw data. For SOA services, Object Y would mean that the appropriate method in Object Y is we need to investigate appropriate security typing systems for executed and the security attribute y is increased to the next each class of services. Third, traditional type-checking has been value of SV. We use the term, appropriate method, to purposely implemented at compile time or run time. For SOA, security allow the definition of the method to be open ended. Consider type checking requires a well-defined typing rules and enforcing the following pseudo statements. mechanism. Automated tools would be essential to apply to security typing theory and models in practice. Finally, strongly- public class Webserv{ security-types SOA services would secure SOA applications at define the security attribute y service request level as well as at SOA package level. We would define the methods for operators like to see an SOA application considered if all the services } involved are “type-safe.” The security typing operators should help guarantee that the overall system is indeed secure through public class Dosomething { the right typing operators to bridge a highly fragmented set of --- authentication and authorization services, databases, and other Webserv X := new Webserv (identified) administrative services in an SOA system. Webserv Z := new Webserv (null) Z := Webserv.successor (X) REFERENCES --- } [1] Bandhakavi, S., Winsborough, W., and Winslett, M., “A Trust Management Approach for Flexible Policy Management In this simple example, the assignment operator must operate as in Security-Typed Languages,” Proceedings of 21st IEEE object assignment. The “new” operator is the constructor Computer Security Foundations Symposium, June 23-25, 2008, operator, which initializes the object to the appropriate security pp 33-47. “degree-of-security” for the objects and the “successor” method is a method defined in Webserv that increases the “degree-of- [2] Bruce, K.M., Foundations of Objected Oriented Languages, security.” Thus the objects of the same security typed Webserv Types and Semantics, MIT Press, 2002. class may operate within the same domain of interest. For SOA, there are many different services offered by multiple enterprises [3] Cardelli, L. and Wegner, P., “On Understanding Types, Data for multiple purposes and with multiple security typing. Thus Abstraction, and Polymorphism,” ACM Computing Surveys, through WSDL, one will need to tag these Objects with a vol. 17, No. 4, December 1985, pp. 471-522. security typing note for consumption in SOA environment. Clearly, we need to address the issue of Classes with different [4] Fenton, N.E. and Pfleeger, S.L., Software Metrics A security types and their operational characteristics. That would Rigorous and Practical Approach, 2nd Edition, PWS Publishing be a topic for a future paper. Company, 1997. Conclusion and Discussion [5] Finn, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B., “ROWLBAC- We have proposed security typing as a mechanism to describe Representing role Based Access Control in OWL,” Proceedings the attribute security for software and for services that may be of Symposium on Access Control Models and Technologies used in an environment such as SOA. The notions of Type (SACMAT 08), Colorado, USA, June 11-13, 2008. Equivalence, Type Compatibility and Type Inference were explored. Also, the significance of metric theory was shown via [6] Glass, R., “SOA Essentials”, DOD SoftwareTech News, the definition of the value set, V. There are clearly more to be Vol. 11, No. 1, June, 2008. expanded both on the theoretical and application level. It is our intent to first apply this concept of security typing and model its [7] Li, N. and Mitchell, J.C., “RT: A Role-based Trust- usage in heterogeneous business domain environment. This management Framework,” Proceedings of the 3rd DARPA allows us to further understand how different security types with Information Survivability Conference and Exposition (DISCEX different value sets would interplay. We then plan to revisit the III), Washington D.C., USA, April, 2003. theoretical underpinnings of security typing and improve on what we have before embarking on future tasks such as defining [8] Benson, M., et al, Secrets of SOA: An Enterprise View on a new security-type based language for security management. Service Oriented architecture Deployment Revealed, Larstan Publish Inc., 2006. Many other topics in this area deserve further research. First, security typing may be application dependent. Different [9] Sandhu, R, Coyne, E.J., Feinstein, H.L., Youman, C.E., programming languages have different typing systems. A typing “Role-Based Access Control Models,” IEEE Computer 29(2), system defines how a programming language classifies values February, 1996, pp. 38-47. and how it can manipulate those types. We need to classify various services in SOA into well-sorted category of services.
  6. 6. [10] Scott, M.L., Programming Language Pragmatics, Morgan [11] Swamy, N., Hicks, M, Tse, S., and Zdancewic, S., Kaufman Publishers, 2000. “Managing Policy updates in Security-Typed Languages,” Proceedings of 19th IEEE Computer Security Foundations Workshop (CSFW06), July, 2006.