security for distributed e-service composition
DESCRIPTION
Security for Distributed E-Service Composition. Stefan Seltzsam Stephan BörzsönyiAlfons Kemper Universität Passau. Outline. Motivation Security Requirements Multilevel Security Architecture Quality Assurance for External Operators Security Measures during Plan Distribution - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/1.jpg)
Security for DistributedE-Service Composition
Stefan Seltzsam Stephan BörzsönyiAlfons Kemper
Universität Passau
![Page 2: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/2.jpg)
Outline Motivation Security Requirements Multilevel Security Architecture
Quality Assurance for External Operators Security Measures during Plan Distribution Architecture of the Runtime Security
System Related Work Conclusions
![Page 3: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/3.jpg)
Motivation Tomorrow´s applications
No longer based on monolithic architectures Distributed, dynamically extensible Composed from existing software
components/services ObjectGlobe
Internet query processing engine Extensible by mobile, user-defined operators Implemented in Java 2 Currently extended to handle general e-
services
![Page 4: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/4.jpg)
ObjectGlobe - Providers Three kinds of service providers:
Data providers Function providers Cycle providers
A single site can comprise all three services
![Page 5: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/5.jpg)
ObjectGlobe – Query Processing
optimizeparse/lookup
plug execute
lookup service
qu
ery
resu
lt
![Page 6: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/6.jpg)
ObjectGlobe – Query Processing
optimizeparse/lookup
plug execute
lookup service
qu
ery
resu
lt
![Page 7: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/7.jpg)
ObjectGlobe – Query Processing
optimizeparse/lookup
plug execute
lookup service
qu
ery
resu
lt
![Page 8: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/8.jpg)
ObjectGlobe – Query Processing
optimizeparse/lookup
plug execute
lookup service
qu
ery
resu
lt
![Page 9: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/9.jpg)
ObjectGlobe – Query Processing
optimizeparse/lookup
plug execute
lookup service
qu
ery
resu
lt
![Page 10: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/10.jpg)
ObjectGlobe – Example Query “Find a hotel that is cheap and
close to the beach in Nassau, Bahamas”
User-defined operator “Skyline” to find all relevant hotels[K. Stocker et.al.: The Skyline Operator, ICDE 2001]
Skyline = all hotels where no other exists, which is closer to the beach and cheaper
![Page 11: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/11.jpg)
ObjectGlobe – Example Query
Hotels ... ... ... ... ... ...
... ... ...
HotelBookWrapper
Skyline
www.operators.orgwww.hotelbook.com www.hotelguide.com
load
operator
client (cycle provider)
Hotels ... ... ... ... ... ...
... ... ...
HotelGuideWrapper
HotelBookWrapper HotelGuideWrapper
SkylineSkyline
Skyline
![Page 12: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/12.jpg)
Security Requirements Basic assumptions
Trustworthy cycle providers Unmodified code of ObjectGlobe and Java Security System of Java 2 works as
designed Security concerns of ObjectGlobe
Common security concerns of distributed systems
Mobile code introduces specific security concerns
![Page 13: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/13.jpg)
Common Security Concerns Authentication and authorization Anonymity Secure communication channels Admission control
![Page 14: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/14.jpg)
Concerns by User-Defined Operators
Protection of cycle providers against Resource monopolization Unauthorized resource access (e.g., file
system) Manipulation of ObjectGlobe
components Users are concerned about
semantics of user-defined operators privacy of the processed data
![Page 15: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/15.jpg)
Example attack Example attack: resource
monopolization
public class Skyline extends IteratorClass { public TypeSpec open() throws Exception { List l = new LinkedList(); while(true) l.add(new Object()); ... } ...}
![Page 16: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/16.jpg)
Example attack Example attack: resource
monopolization
public class Skyline extends IteratorClass { public TypeSpec open() throws Exception { List l = new LinkedList(); while(true) l.add(new Object()); ... } ...}
![Page 17: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/17.jpg)
Example attack (2) Example attack: wrong semanticspublic class Skyline extends IteratorClass { private ElementDescriptor currElem = null; private PredicateFunctionInterface eliminationPredicate = FunctionConstructor.construct(inputTypes[0], "name=\"Sheraton\""); public ElementDescriptor next() throws Exception { ... do { currElem = inputIterators[0].next(); } while (currElem != null && eliminationPredicate.test(currElem)); ... /* skyline code */ ... } ... }
![Page 18: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/18.jpg)
Example attack: wrong semanticspublic class Skyline extends IteratorClass { private ElementDescriptor currElem = null; private PredicateFunctionInterface eliminationPredicate = FunctionConstructor.construct(inputTypes[0], "name=\"Sheraton\""); public ElementDescriptor next() throws Exception { ... do { currElem = inputIterators[0].next(); } while (currElem != null && eliminationPredicate.test(currElem)); ... /* skyline code */ ... } ... }
Example attack (2)
FILTER
![Page 19: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/19.jpg)
Multilevel Security Architecture
preventivemeasures
optimizeparse/lookup
plug execute
lookup service
queryexecution
qualityassurance
![Page 20: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/20.jpg)
Multilevel Security Architecture
Preventive measures
preventivemeasures
optimizeparse/lookup
plug execute
lookup service
queryexecution
qualityassurance
![Page 21: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/21.jpg)
Multilevel Security Architecture
Preventive measures Security measures during plan
distribution
preventivemeasures
optimizeparse/lookup
plug execute
lookup service
queryexecution
qualityassurance
![Page 22: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/22.jpg)
Multilevel Security Architecture
Preventive measures Security measures during plan
distribution Runtime security system
preventivemeasures
optimizeparse/lookup
plug execute
lookup service
queryexecution
qualityassurance
![Page 23: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/23.jpg)
Preventive Measures Optional, preventive step Goals – Quality assurance
Verification of the semantics of the operator
Compare resource consumption with given cost models
Stress testing Results are digitally signed
![Page 24: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/24.jpg)
Methods of Formal Specification
Skyline - Mathematical Formula{s|sS tS: ts ts}
Skyline - Haskellskyline :: [] -> []skyline ss = skyline´ ss ssskyline´ [] ts = []skyline´ (s:ss) ts = if dominated s ts then skyline´ ss ts else s:skyline´ ss tsdominated s [] = Falsedominated s (t:ts) = dominance t s || dominated s tsdominance t s = (ts && ts)
![Page 25: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/25.jpg)
Test Data Generation User-directed
Test data fulfill preconditions of operators
Test data meet the testers´ strategies Features
Specification of attribute values Functional dependencies between
attributes Relationships between relations Control on the order of the tuples
![Page 26: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/26.jpg)
The OperatorCheck Server Benchmark test
Different sizes of input data Resource consumption is measured Results are compared to cost models
(MathML) Correctness test
Verifies the semantics of operators Black box testing Haskell program as oracle Different result comparison semantics
![Page 27: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/27.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 28: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/28.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 29: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/29.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 30: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/30.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 31: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/31.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 32: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/32.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 33: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/33.jpg)
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obje
ctG
lobe Q
uery
En
gin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data
test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
![Page 34: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/34.jpg)
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
![Page 35: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/35.jpg)
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
![Page 36: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/36.jpg)
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
![Page 37: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/37.jpg)
Advantages/Limitations Advantages
Improvement of trust Resource stability More reliable query execution Continuously available cycle providers Better result quality ObjectGlobe can renounce runtime monitoring
Limitations Correctness can not be proved Results depend on intuition of testers Further security measures necessary
![Page 38: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/38.jpg)
Measures during Plan Distribution
Setup of secure communication channels using SSL and/or TLS
Authentication of communication partners
Authentication of users Authorization Admission control
![Page 39: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/39.jpg)
Runtime Security System Based on
Java´s security architecture Native library
Tasks Guarantee privacy Protection of cycle providers
Guarding Monitoring
![Page 40: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/40.jpg)
Guarding Prevention of unauthorized
resource access Access to temporary memory Prevention of access to
ObjectGlobe components Isolation of user-defined operators
![Page 41: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/41.jpg)
Monitoring Monitored resources
CPU Primary and secondary memory Data volume produced by operators Number of temporary files
Dynamically adapted limits Operators are terminated upon
limit violations
![Page 42: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/42.jpg)
Related Work Extensible database systems:
POSTGRES, Predator, Jaguar Oracle, DB2
Braumandl et.al.: ObjectGlobe: Ubiquitous Query Processing on the Internet, VLDBJ 2001
Seshadri et.al.: Secure and Portable Database Extensibility, SIGMOD 1998
Dalton et.al.: An Operating System Approach to Securing E-Services, Communications of the ACM, 2001
Weikum: The Web in 2010: Challenges and Opportunities for Database Research, Springer, 2001
![Page 43: Security for Distributed E-Service Composition](https://reader035.vdocuments.mx/reader035/viewer/2022070406/568142b5550346895daef4df/html5/thumbnails/43.jpg)
Conclusions Security requirements of cycle
providers and users ObjectGlobe as an Example Multilevel security architecture
OperatorCheck server Measures during plan distribution Runtime security system