Verifying policy-based web services security

ACM Transactions on Programming Languages and Systems

Volumn 30, Issue 6, 2008, Pages

  Bhargavan, Karthikeyan ^a   Fournet, Cédric ^a   Gordon, Andrew D ^a  

^a MICROSOFT RESEARCH   (United Kingdom)

Author keywords

Pi calculus; Web services; XML security

Indexed keywords

CALCULATIONS; FORMAL METHODS; SEMANTICS; SPECIFICATIONS; TELECOMMUNICATION SERVICES; WEBSITES;

ABSTRACT LANGUAGES; CRYPTOGRAPHIC PROTOCOLS; DECLARATIVE LANGUAGES; PI CALCULUS; SECURITY THEOREM; WEB SERVICES SECURITY; WS-SECURITYPOLICY; XML SECURITY;

WEB SERVICES;

EID: 56349105161     PISSN: 01640925     EISSN: 15584593     Source Type: Journal    
DOI: 10.1145/1391956.1391957     Document Type: Article

References (41)

1. ABADI, M. ANDFOURNET, C. 2001. Mobile values, new names, and secure communication. In Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL01). ACM, New York, 104-115.
2. ALLAMIGEON, X. ANDBLANCHET, B. 2005. Reconstruction of attacks against cryptographic protocols. In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW-18) (Aix-enProvence, France). IEEE Computer Society Press, Los Alamitos, CA, 140-154.
3. BHAROAVAN, K., CORIN, R., FOURNET, C., ANDGORDON, A. D. 2006a. Secure sessions for web services. ACM Trans. Inform. Syst. Secu. (TISSEC) 10, 8 (May).
4. BHARGAVAN, K., FOURNET, C., ANDGORDON, A. D. 2005a. A semantics for web services authentication. Theor. Comput. Sci. 340, 1 (June), 102-153. (See also Microsoft Research Technical Report MSR-TR-2003-83).
5. BHARGAVAN, K., FOURNET, C., ANDG ORDON, A. D. 2005b. Verifying policy-based security for web services. Tech. Rep. MSR-TR-2004-84, Microsoft Research. Nov.
6. BHARGAVAN, K., FOURNET, C., ANDGORDON, A. D. 2006b. Policy advisor for WSE 3.0. In Web Service Security: Scenarios, patterns, and implementation guidance for Web Services Enhancements (WSE) 3.0. Microsoft Press, 324-330.
7. BHARGAVAN, K., FOURNET, C., ANDGORDON, A. D. 2006C. Verified reference implementations of WS-Security protocols. In Proceedings of the 3rd International Workshop on Web Services and Formal Methods (WS-FM 2006). Lecture Notes in Computer Science, vol. 4184. Springer-Verlag, New York, 88-106.
8. BHARGAVAN, K., FOURNET, C., GORDON, A. D., ANDO'SHEA, G. 2005C. An advisor for web services security policies. In Proceedings of the 2005 ACM Workshop on Secure Web Services (SWS). 1-9. Tool download available from http://Securing.WS.
9. BHARGAVAN, K., FOURNET, C., GORDON, A. D., ANDPUCELLA, R. 2004. TulaFale: A security tool for web services. In Proceedings of the International Symposium on Formal Methods for Components and Objects (FMCO'03). Lecture Notes in Computer Science, vol. 3188. Springer-Verlag, New York, 197-222. Tool download available from http://Securing.WS.
10. BHARGAVAN, K., FOURNET, C., GORDON, A. D., ANDSWAMY, N. 2008. Verified implementations of the Information Card federated identity-management protocol. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS'08). ACM, New York, 123-135.
11. BHARGAVAN, K., FOURNET, C., GORDON, A. D., ANDTSE, S. 2006d. Verified interoperable implementations of security protocols. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06). IEEE Computer Society Press, Los Alamitos, CA, 139-152.
12. BLANCHET, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 82-96.
13. BLANCHET, B. 2002. From secrecy to authenticity in security protocols. In Proceedings of the 9th International Static Analysis Symposium, (SAS'02). Lecture Notes in Computer Science, vol. 2477. Springer-Verlag, New York, 342-359.
14. BLANCHET, B., ABADI, M., ANDFOURNET, C. 2005. Automated verification of selected equivalences for security protocols. In Proceedings of the 20th IEEE Symposium on Logic in Computer Science (LICS 2005) (Chicago, IL). IEEE Computer Society Press, Los Alamitos, CA, 331-340.
15. BOX, D., CHRISTENSEN, E., CURBERA, F., FERGUSON, D., FREY, J., HADLEY, M., KALER, C., LANGWORTHY, D., LEYMANN, F., LOVERING, B., LUCCO, S., MILLET, S., MUKHI, N., NOTTINGHAM, M., ORCHARD, D., SHEWCHUK, J., SINDAMBIWE, E., STOREY, T., WEERAWARANA, S., ANDWINKLER, S. 2004. Web Services Addressing (WS-Addressing). W3C Submission.
16. BOX, D., CURBERA, F., HONDO, M., KALER, C., LANGWORTHY, D., NADALIN, A., NAGARATNAM, N., NOTTINGHAM, M., VON RIEGEN, C., ANDSHEWCHUK, J. 2003a. Web services policy framework (WS-Policy).
17. BOX, D., HONDO, M., KALER, C., MARUYAMA, H., NADALIN, A., NAGARATNAM, N., PATRICK, P., VON RIEGEN, C., ANDSHEWCHUK, J. 2003b. Web services policy assertions language (WS-PolicyAssertions).
18. DELLA-LIBERA, G., HALLAM-BAKER, P., HONDO, M., JANCZUK, T., KALER, C., MARUYAMA, H., NAGARATNAM, N., NASH, A., PHILPOTT, R., PRAFULLCHANDRA, H., SHEWCHUK, J., WAINGOLD, E., ANDZOLFONOON, R. 2002. Web services security policy language (WS-SecurityPolicy). Version 1.0.
19. DIERKS, T. ANDRESCORLA, E. 2006. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force Proposed Standard.
20. DOLEV, D. ANDYAO, A. 1983. On the security of public key protocols. IEEE Trans. Inform. Theory IT-29, 2, 198-208.
21. EASTLAKE, D., REAGLE, J., IMAMURA, T., DILLAWAY, B., ANDSIMON, E. 2002a. XML Encryption Syntax and Processing. W3C Recommendation.
22. EASTLAKE, D., REAGLE, J., SOLO, D., BARTEL, M., BOYER, J., FOX, B., LAMACCHIA, B., ANDSIMON, E. 2002b. XML-Signature Syntax and Processing. W3C Recommendation.
23. GORDON, A. D. ANDJEFFREY, A. 2003. Authenticity by typing for security protocols. J. Comput. Secur. 11, 4, 451-521.
24. GORDON, A. D. ANDPUCELLA, R. 2005. Validating a web service security abstraction by typing. Formal Aspects of Comput. 17, 277-318.
25. GUTTMAN, J. D. ANDHERZOG, A. L. 2005. Rigorous automated network security management. Int. J. Inform. Secur. 4, 1-2, 29-48.
26. LOWE, G. 2002. Analyzing protocols subject to guessing attacks. In Proceedings of the Workshop on Issues in the Theory of Security (WITS'02). Portland, Oregon.
27. LUKELL, S., VELDMAN, C., ANDHUTCHISON, A. C. M. 2003. Automated attack analysis and code generation in a multi-dimensional security protocol engineering framework. In Proceedings of the Southern African Telecommunication Networks and Applications Conference (SATNAC).
28. MICROSOFT CORPORATION 2004. Web Services Enhancements (WSE) 2.0. Microsoft Corporation.
29. MULLER, F. ANDMILLEN, J. 2001. Cryptographic protocol generation from CAPSL. Tech. Rep. SRICSL-01-07, SRI.
30. NADALIN, A., GRIFFIN, P., KALER, C., HALLAM-BAKER, P., ANDMONZILLO, R. 2004a. Web Services Security: UsernameToken Profile 1.0. OASIS Standard.
31. NADALIN, A., KALER, C., HALLAM-BAKER, P., ANDMONZILLO, R. 2004b. Web Services Security: SOAP Message Security 1.0 (WS-Security 2004). OASIS Standard.
32. NADALIN, A., KALER, C., HALLAM-BAKER, P., ANDMONZILLO, R. 2006. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard.
33. NADALIN, A., GOODNER, M., GUDGIN, M., BARBIR, A., ANDGRANQVIST, H. 2007. WS-SecurityPolicy 1.2. OASIS Standard.
34. NEEDHAM, R. ANDSCHROEDER, M. 1978. Using encryption for authentication in large networks of computers. Commun. ACM 21, 12, 993-999.
35. PERRIG, A., SONG, D., ANDPHAN, D. 2001. AGVI - Automatic generation, verification, and implementation of security protocols. In Proceedings of the 13th Conference on Computer Aided Verification (CAV). Lecture Notes in Computer Science. Springer-Verlag, New York, 241-245.
36. POZZA, D., SISTO, R., ANDDURANTE, L. 2004. Spi2Java: automatic cryptographic protocol Java code generation from spi calculus. In Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA 2004). Vol. 1. 400-405.
37. TATSUBORI, M., IMAMURA, T., ANDN AKAMURA, Y. 2004. Best practice patterns and tool support for configuring secure web services messaging. In Proceedings of the International Conference on Web Services (ICWS'04). 244-251.
38. W3C. 1999. XML Path Language (XPath) Version 1.0. W3C. W3C Recommendation.
39. W3C. 2003. SOAP Version 1.2. W3C. W3C Recommendation.
40. WOO, T. ANDLAM, S. 1993. A semantic model for authentication protocols. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 178-194.
41. ZHENG, L., CHONG, S., MYERS, A. C., ANDZDANCEWIC, S. 2003. Using replication and partitioning to build secure distributed systems. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 236-250.