An advisor for web services security policies

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2005, Pages 1-9

  Bhargavan, Karthikeyan ^a   Fournet, Cédric ^a   Gordon, Andrew D ^a   O'Shea, Greg ^a  

^a MICROSOFT RESEARCH   (United Kingdom)

Author keywords

Policy Driven Security; Web Services; WS Security; XML Security

Indexed keywords

MICROSOFT; PLUG-INS; POLICY DRIVEN; POLICY-DRIVEN SECURITY; SECURITY VULNERABILITIES; WEB SERVICES SECURITY; XML SECURITY;

MARKUP LANGUAGES; WEB SERVICES; XML;

SECURITY OF DATA;

EID: 77954342153     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1103022.1103024     Document Type: Conference Paper

References (29)

1. M. Backes, B. Pfitzmann, S. Modersheim, and L. Vigano. Symbolic and cryptographic analysis of the secure WS-ReliableMessaging scenario. Unpublished draft, 2005.
2. K. Bhargavan, R. Corin, C. Fournet, and A. D. Gordon. Secure sessions for web services. In 2004 ACM Workshop on Secure Web Services (SWS), pages 11-22, October 2004.
3. K. Bhargavan, C. Fournet, and A. D. Gordon. Verifying policy-based security for web services. In 11th ACM Conference on Computer and Communications Security (CCS'04), pages 268-277, October 2004. (Pubitemid 40338208)
4. K. Bhargavan, C. Fournet, and A. D. Gordon. A semantics for web services authentication. Theoretical Computer Science, 340(1):102-153, June 2005. See also Microsoft Research Technical Report MSR-TR-2003-83.
5. K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. TulaFale: A security tool for web services. In International Symposium on Formal Methods for Components and Objects (FMCO'03), volume 3188 of LNCS, pages 197-222. Springer, 2004. Tool available from http://Securing.WS. (Pubitemid 39749529)
6. B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, pages 82-96. IEEE Computer Society Press, 2001.
7. D. Box, F. Curbera, et al. Web Services Addressing (WS-Addressing), August 2004. W3C Member Submission, at http://www.w3.org/Submission/ws- addressing/.
8. D. Box, F. Curbera, M. Hondo, C. Kaler, D. Langworthy, A. Nadalin, N. Nagaratnam, M. Nottingham, C. von Riegen, and J. Shewchuk. Web services policy framework (WS-Policy), May 2003. Version 1.1.
9. D. Box, M. Hondo, C. Kaler, H. Maruyama, A. Nadalin, N. Nagaratnam, P. Patrick, C. von Riegen, and J. Shewchuk. Web services policy assertions language (WS-PolicyAssertions), May 2003. Version 1.1.
10. G. Della-Libera, M. Gudgin, P. Hallam-Baker, M. Hondo, H. Granqvist, C. Kaler, H. Maruyama, M. McIntosh, A. Nadalin, N. Nagaratnam, R. Philpott, H. Prafullchandra, J. Shewchuk, D. Walter, and R. Zolfonoon. Web services security policy language (WS-SecurityPolicy), July 2005. Version 1.1.
11. G. Della-Libera, P. Hallam-Baker, M. Hondo, T. Janczuk, C. Kaler, H. Maruyama, A. Nadalin, N. Nagaratnam, A. Nash, R. Philpott, H. Prafullchandra, J. Shewchuk, E. Waingold, and R. Zolfonoon. Web services security policy language (WS-SecurityPolicy), December 2002. Version 1.0.
12. D. Dolev and A.C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT-29(2):198-208, 1983.
13. D. Eastlake, J. Reagle, D. Solo, M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon. XML-Signature Syntax and Processing, 2002. W3C Recommendation, at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/.
14. Foundstone. WSDigger, July 2005. At www.foundstone.com/resources/ proddesc/wsdigger.htm.
15. M. Fowler. Language workbenches: The killer-app for domain specific languages?, 2005. At http://www.martinfowler.com/articles/languageWorkbench. html.
16. A. D. Gordon and R. Pucella. Validating a web service security abstraction by typing. In Proceedings of the 2002 ACM workshop on XML Security, pages 18-29. ACM Press, 2002.
17. J. Hogg, H. de Lahitte, D. Gonzalez, P. Cibraro, P. Coupland, M. Bhao, and P. Slater. Microsoft WS-IBasic Security Profile 1.0 Sample Application. Microsoft Corporation, June 2005. Preview release for the.NET Framework version 1.1.
18. E. Kleiner and A. W. Roscoe. Web services security: A preliminary study using Casper and FDR. In Proceedings of Automated Reasoning for Security Protocol Analysis (ARSPA 04), 2004.
19. Microsoft Corporation. Web Services Enhancements (WSE) 2.0, 2004. At http://msdn.microsoft.com/webservices/building/wse/default.aspx.
20. A. Nadalin, C. Kaler, P. Hallam-Baker, and R. Monzillo. OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004), March 2004. OASIS Standard 200401, at http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-soap-message-security-1.0.pdf.
21. R.M. Needham and M.D. Schroeder. Using encryption for authentication in large networks ofcomputers. Communications of the ACM, 21(12):993-999, 1978.
22. M. O'Neill. Mapping security to a services oriented architecture, March 2005. CASSIS'05 presentation, at http://www-sop.inria.fr/everest/events/ cassis05/Transp/oneill.ppt
23. J. Scambray and M. Shema. Hacking Web Applications Exposed. McGraw-Hill/Osborne, 2002.
24. F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.
25. M. Tatsubori, T. Imamura, and Y. Nakamura. Best practice patterns and tool support for configuring secure web services messaging. In International Conference on Web Services (ICWS'04), pages 244-251, 2004.
26. L. Tobarra, D. Cazorla, F. Cuartero, and G. Diaz. Application of formal methods to the analysis of web services security. In 2nd International Workshop on Web Services and Formal Methods (WS-FM2005), pages 215-229, Sep 2005.
27. J. Udell. Threat modeling, 2004. At http://weblog.infoworld.com/udell/ 2004/05/25.html.
28. W3C. SOAP Version 1.2, 2003. W3C Recommendation, at http://www.w3.org/TR/ soap12.
29. A. Wiesmann, M. Curphey, A. van der Stock, and R. Stirbei, editors. A Guide to Building Secure Web Applications and Web Services. OWASP, 2.0 Black Hat edition, 2005. At http://www.owasp.org.