Abstract
Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - International Computer Software and Applications Conference |
Publisher | IEEE Computer Society |
Pages | 60-67 |
Number of pages | 8 |
Volume | 1 |
ISBN (Print) | 9781467365635 |
DOIs | |
State | Published - Sep 21 2015 |
Event | 2015 IEEE 39th Annual Computer Software and Applications Conference - Stephen S. Yau Academic Symposium, COMPSAC 2015 - Taichung, Taiwan, Province of China Duration: Jul 1 2015 → Jul 5 2015 |
Other
Other | 2015 IEEE 39th Annual Computer Software and Applications Conference - Stephen S. Yau Academic Symposium, COMPSAC 2015 |
---|---|
Country | Taiwan, Province of China |
City | Taichung |
Period | 7/1/15 → 7/5/15 |
Fingerprint
Keywords
- Access control
- Data dependency
- Information flow control
- Service-based systems
ASJC Scopus subject areas
- Computer Science Applications
- Software
Cite this
An access and information flow control paradigm for secure information sharing in service-based systems. / Solanki, Nidhiben; Hoffman, Timothy; Yen, I. Ling; Bastani, Farokh; Yau, Sik-Sang.
Proceedings - International Computer Software and Applications Conference. Vol. 1 IEEE Computer Society, 2015. p. 60-67 7273293.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - An access and information flow control paradigm for secure information sharing in service-based systems
AU - Solanki, Nidhiben
AU - Hoffman, Timothy
AU - Yen, I. Ling
AU - Bastani, Farokh
AU - Yau, Sik-Sang
PY - 2015/9/21
Y1 - 2015/9/21
N2 - Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.
AB - Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.
KW - Access control
KW - Data dependency
KW - Information flow control
KW - Service-based systems
UR - http://www.scopus.com/inward/record.url?scp=84962469633&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962469633&partnerID=8YFLogxK
U2 - 10.1109/COMPSAC.2015.195
DO - 10.1109/COMPSAC.2015.195
M3 - Conference contribution
AN - SCOPUS:84962469633
SN - 9781467365635
VL - 1
SP - 60
EP - 67
BT - Proceedings - International Computer Software and Applications Conference
PB - IEEE Computer Society
ER -