Security Evaluation of Service-oriented Systems with an Extensible Knowledge Base

2011 Sixth International Conference on Availability, Reliability and Security Pub Date : 2011-08-22 DOI:10.1109/ARES.2011.109

Christian Jung, M. Rudolph, R. Schwarz

{"title":"Security Evaluation of Service-oriented Systems with an Extensible Knowledge Base","authors":"Christian Jung, M. Rudolph, R. Schwarz","doi":"10.1109/ARES.2011.109","DOIUrl":null,"url":null,"abstract":"Service-oriented software architectures promise enhanced interoperability, reusability, and flexibility for the implementation of business processes. However, assuring the quality of SOA software is challenging due to the distributed, inhomogeneous, and often non-transparent nature of service building blocks. Especially security, which is an overarching quality concern of a system, poses a hard problem for quality assurance in a SOA context. We have developed SiSOA, a method for static security analysis of SOA systems based on reverse-engineering techniques to recover the software architecture and to extract security-related information from available system artifacts. In SiSOA, the extraction and aggregation of security facts is controlled by security rules stored in an extensible knowledge base. In this paper, we describe the structure of the SiSOA knowledge base, its underlying principles, and its role within the SiSOA methodology. We briefly survey our SiSOA prototype tool, and we illustrate the application of knowledge base rules with exemplary security scenarios.","PeriodicalId":254443,"journal":{"name":"2011 Sixth International Conference on Availability, Reliability and Security","volume":"160 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 Sixth International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2011.109","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Service-oriented software architectures promise enhanced interoperability, reusability, and flexibility for the implementation of business processes. However, assuring the quality of SOA software is challenging due to the distributed, inhomogeneous, and often non-transparent nature of service building blocks. Especially security, which is an overarching quality concern of a system, poses a hard problem for quality assurance in a SOA context. We have developed SiSOA, a method for static security analysis of SOA systems based on reverse-engineering techniques to recover the software architecture and to extract security-related information from available system artifacts. In SiSOA, the extraction and aggregation of security facts is controlled by security rules stored in an extensible knowledge base. In this paper, we describe the structure of the SiSOA knowledge base, its underlying principles, and its role within the SiSOA methodology. We briefly survey our SiSOA prototype tool, and we illustrate the application of knowledge base rules with exemplary security scenarios.

查看原文本刊更多论文

基于可扩展知识库的面向服务系统安全评估

面向服务的软件体系结构承诺增强业务流程实现的互操作性、可重用性和灵活性。然而，由于服务构建块的分布式、非同构和通常不透明的特性，保证SOA软件的质量是具有挑战性的。特别是安全性，它是系统的首要质量关注点，在SOA上下文中对质量保证提出了一个难题。我们开发了SiSOA，这是一种基于逆向工程技术的SOA系统静态安全分析方法，用于恢复软件体系结构并从可用的系统工件中提取与安全相关的信息。在SiSOA中，安全事实的提取和聚合由存储在可扩展知识库中的安全规则控制。在本文中，我们描述了SiSOA知识库的结构，它的基本原则，以及它在SiSOA方法中的作用。我们简要介绍了我们的SiSOA原型工具，并通过示例性的安全场景说明了知识库规则的应用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 Sixth International Conference on Availability, Reliability and Security

自引率

0.00%

发文量