A Security Meta-Language for SOAP Messaging

##plugins.themes.academic_pro.article.main##

ROBERT BAIRD
ROSE GAMBLE

Abstract

Due to the increasing availability of competing service providers and the decreasing costs of moving services online recent trends in information systems development direct focus towards leveraging complex distributed system interconnections. To that end service-oriented architectures and web services have become commonplace in busi- ness and government application development because they facilitate rapid development and deployment through the use of standards that document interfaces and the message exchanges. However, the hierarchically related standards have complex documented interconnections and dependencies. The configuration of the services and the messages they exchange must adhere to the mandates established in these documents, yet the guidance offered by each specification is often too expansive for software developers to understand without assistance. Incorrect configurations can lead to messaging configurations that result in software vulnerabilities, system unavailability, service disruption, and ultimately loss of protected information. In this paper, we devise a Security Meta Language for secure web service communication based on a dynamic modeling framework. The framework models expert knowledge gathered from the intensive analysis of message protection protocols specified in web service standards. We outline a process to create and modify secure messaging directives through a case study investigating X.509 PKI tokens and digital signatures for SOAP communication.

##plugins.themes.academic_pro.article.details##

How to Cite
ROBERT BAIRD, & ROSE GAMBLE. (2014). A Security Meta-Language for SOAP Messaging. International Journal of Next-Generation Computing, 5(3), 249–273. https://doi.org/10.47164/ijngc.v5i3.68

References

  1. W3C 2012. Available from http : //www.w3.org/standards/webofservices/.
  2. W3C 2007. SOAP Version 1.2 Part 0: Primer (Second Edition). Available from http : //www.w3.org/T R/soap12 − part0/.
  3. Baird, R., and Gamble, R. 2011. Developing a Security Meta-Language Framework. In Proceedings of the Hawaii International Conference on System Sciences.
  4. Baird, R. 2011. A Security Meta Language for Using Web Services Security Standards. Ph.D. Dissertation, University of Tulsa, Tulsa, OK.
  5. Rahaman, M.A., and Schaad, A. 2011. Developing a Security Meta-Language Framework. In Proceedings of the Hawaii International Conference on System Sciences.
  6. Sitaraman, L. 2010. Interoperable Security Standards for Web Services. In IT Professional, Vol. 12, No. 5, pp.42-47.
  7. Ahmed, N., Gamble, R., Bhargava, B., and Linderman, M. 2014. Analysis of End-to-End Cloud Security Protocols with Mobile Devices. In Smartphone Security and Secure Mobile Cloud Computing (to appear), K. Han and J. Kiefer, eds., Springer, NY.
  8. She, W., Yen, I., Thuraisingham, B., and Bertino, E. 2010. Policy-Driven Service Composition with Information Flow Control. In IEEE International Conference on Web Services, pp. 50-57.
  9. She, W., Yen, I., Thuraisingham, B., and Huang, S. 2011. Rule-Based Run-Time Information Flow Control in Service Cloud. In IEEE International Conference on Web Services, pp. 524-531.
  10. W3C 2004. Web Services Architecture. Available from http : //www.w3.org/T R/ws − arch/.
  11. W3C 2008. Extensible Markup Language (XML) 1.0 (Fifth Edition). Available from http : //www.w3.org/T R/xml/.
  12. NIST 2013. Special Publication 800-53 Recommended Security Controls for Federal Information Systems Rev. 4.
  13. Baird, R., and Gamble, R. 2010. Security Controls Applied to Web Service Architectures. In 19th International Conference on Software Engineering and Data Engineering.
  14. Carlo, D.B., Albers, P., and Hao, J.K. 2006. Web Services Composition. In Semantic Web Service, Processes and Application, pp. 195-225.
  15. Hepner, M., Gamble, M.T., and Gamble, R. 2006. Forming a Security Certification Enclave for Service-Oriented Architectures. In Modeling, Design, and Analysis for Service-oriented Architecture Workshop (MDA4SOA’06).
  16. Bhargavan, K. et al. 2004. TulaFale: A Security Tool for Web Services. In International Symposium on Formal Methods for Components and Objects (FMCO).
  17. Object Management Group 2007. MOF 2.0 / XMI Mapping Specification, v2.1.1. Available from http : //www.omg.org/spec/XMI/2.1.1/.
  18. Object Management Group 2009. Service oriented architecture Modeling Language (SoaML): Specification for the UML Profile and Metamodel for Services (UPMS). Available from http : //www.omg.org/spec/SoaML/20091101.
  19. Object Management Group 2011. UML Profile for CORBA. Available from http : //www.omg.org/spec/CORBA/3.1.1.
  20. Object Management Group 2004. UML Profile for Enterprise Application Integration (EAI). Available fromhttp : //www.omg.org/spec/EAI/1.0/.
  21. Carlson, D. 2008. UML Profile for XML Schema. Available from http : //www.xmlmodeling.com/documen −tation/specs/XMLSchemaP rof ile.
  22. Lautenbacker, F., and Bauer, B. 2007. Creating a Meta-Model for Semantic Web Service Standards. In 19th Proc. of the 3rd Intl. Conf. on Web Information System and Technologies (WEBIST)-Web Interfaces and Applications.
  23. Thuraisingham, B. 2005. Security Standards for the Semantic Web. In Computer Standards and Interfaces Vol.27, No. 3, pp. 257-268.
  24. Menzel, M., and Meinel, C. 2009. A Security Meta-Model for Service-oriented Architectures. In IEEE International Conference on Services Computing.
  25. Dong, F., and Akl, S.G. 2007. An Adaptive Double-layer Workflow Scheduling Approach for Grid Computing.In 21st International Symposium on High Performance Computing Systems and Applications.
  26. Zheng-qiu, H. et al. 2009. Semantic Security Policy for Web Service. In IEEE International Symposium on Parallel and Distributed Processing with Applications.
  27. OASIS 2012. Web Services Security: SOAP Message Security Version 1.1.1. Available from http : //docs.oasis−open.org/wss − m/wss/v1.1.1/os/wss − SOAPMessageSecurity − v1.1.1 − os.html.
  28. W3C 2001. Canonical XML. Available from http : //www.w3.org/T R/xml − c14n.
  29. Object Management Group 2010. Object Constraint Language. Available from http ://www.omg.org/spec/OCL/2.3/Beta2/P DF.